Office (OLE) malware analysis — malicious · 5a507554c11ef049

MALICIOUS

Office (OLE)

311.0 KB Created: 1998-02-13 10:23:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 4bf87245f88e911fd6f87454e5b20b8b SHA-1: 7495a3c3983d7b01417559898a6f11e31a28d1d2 SHA-256: 5a507554c11ef04980484941cd99d446b540e6a0ab2e09cc48bc43ee1e0f234a

130 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an older Office document (Word 8.0) that contains legacy WordBasic and VBA macros. The presence of AutoOpen and AutoClose macros, along with Environ() calls, suggests malicious intent. The macros appear to be designed to display informational messages to the user, likely as a pretext for a social engineering attack, rather than executing a direct payload.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com/isapi/redir.dll In document text (OLE body)
- http://www.microsoft.com/isapi/redir.dll?PRD=Word&SBP=ia&PVER=8.0&AR=templatesIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 524913 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	524913 bytes
SHA-256: `4d6c551d165cfafc24072d6231980e052d77f06a65de85c3be256e8232b898cf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UC01" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_Creatable = True Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Const SZ_MACRONAME = "¨Ã¦C¤å¦r" Sub Insert() With Selection If Len(.Text) = 1 And .Text = (Chr$(13)) Then MsgBox "½Ð¥ý¿ï¨ún¨Ã¦Cªº¤å¦r¡A¦A¿ï¨ú¥»¥\¯à¿ï¶µ¡C", _ Title:=SZ_MACRONAME GoTo LExit: End If If ((.Start = .End) And (.Text = Chr$(21))) Then .MoveRight , 1, 1 End If If (Right$(.Text, 1) = Chr$(13)) Then .End = .End - 1 End If If (FIsRubyField(.Range) = False) Then If (.Range.Fields.Count > 0) Or (InStr(1, .Text, Chr$(13)) <> 0) _ Or (InStr(1, .Text, vbTab) <> 0) Or (InStr(1, .Text, ",") <> 0) _ Or (InStr(1, .Text, "(") <> 0) Or (InStr(1, .Text, vbTab) <> 0) Then MsgBox "µLªk¬°§t¦³©w¦ìÂI¡B¥\¯àÅÜ¼Æ©M¬q¸¨²Å¸¹ªº¦r¦ê¥[¤J¨Ã¦Cªºµù¸Ñ", Title:=SZ_MACRONAME GoTo LExit: End If End If If (Selection.Start = Selection.End) Then MsgBox "½Ð¿ï¨ún¥[¤Jµù¸Ñªº¦r¦ê", Title:=SZ_MACRONAME GoTo LExit: End If End With InitDialog dlgRuby.Show LExit: End Sub Sub Create(szRuby As String, szFont As String, iSize As Integer, iDist As Integer, szAlign As String) Dim rgn As Range Dim n As Integer Dim iCurSize As Integer Dim szCurFont As String Dim fnt As Font Application.ScreenUpdating = False System.Cursor = wdCursorWait On Error GoTo LError With Selection Set rgn = .Range Set fnt = GetCurFont(rgn) If (FIsRubyField(rgn) = True) Then Delete End If iCurSize = fnt.Size szCurFont = fnt.Name n = Len(.Text) ' Insert Field .Fields.Add .Range, , , False .TypeText "eq \o" ' Ruby string align Select Case (szAlign) Case "¾a¥ª" .TypeText "\al" Case "µ¥¶¡¶Z®i¶}" .TypeText "\ad" Case Else End Select .TypeText "(\s\up" + Str$(Int(iDist + .Font.Size - 1)) + "(" .InsertBefore szRuby .Font.Size = iSize .Font.Name = szFont .Font.DisableCharacterSpaceGrid = False .MoveRight .InsertAfter ")," .Font.Size = iCurSize .Font.Name = szCurName .MoveRight , n + 2 .TypeText ")" ' Kludge, To remove space char at end of field.... .MoveLeft , 2 .Delete unit:=wdCharacter, Count:=1 .Fields.ToggleShowCodes .MoveRight , 1, 1 End With LExit: Application.ScreenUpdating = True System.Cursor = wdCursorNormal Exit Sub LError: MsgBox Err.Description, Title:=SZ_MACRONAME End Sub Sub Delete() Dim rgn As Range Dim rgnFld As Range Dim rgnNew As Range Dim szCode As String Dim FUpdate As Boolean On Error GoTo LError If (Application.ScreenUpdating = True) Then FUpdate = True Application.ScreenUpdating = False System.Cursor = wdCursorWait Else FUpdate = False End If With Selection Set rgn = .Range If (.Fields.Count < 1) Then GoTo LExit: For i = 1 To .Fields.Count szCode = rgn.Fields(i).Code Set rgnFld = rgn.Fields(i).Code If (FIsRubyField(rgn) = False) Then GoTo LExit: End If iTop = InStr(1, szCode, ",") + rgnFld.St ... (truncated)

SHA-256: 4d6c551d165cfafc24072d6231980e052d77f06a65de85c3be256e8232b898cf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UC01"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Const SZ_MACRONAME = "¨Ã¦C¤å¦r"

Sub Insert()
    With Selection
        If Len(.Text) = 1 And .Text = (Chr$(13)) Then
            MsgBox "½Ð¥ý¿ï¨ún¨Ã¦Cªº¤å¦r¡A¦A¿ï¨ú¥»¥\¯à¿ï¶µ¡C", _
                    Title:=SZ_MACRONAME
            GoTo LExit:
        End If
        If ((.Start = .End) And (.Text = Chr$(21))) Then
            .MoveRight , 1, 1
        End If
        If (Right$(.Text, 1) = Chr$(13)) Then
            .End = .End - 1
        End If
        If (FIsRubyField(.Range) = False) Then
            If (.Range.Fields.Count > 0) Or (InStr(1, .Text, Chr$(13)) <> 0) _
                Or (InStr(1, .Text, vbTab) <> 0) Or (InStr(1, .Text, ",") <> 0) _
                Or (InStr(1, .Text, "(") <> 0) Or (InStr(1, .Text, vbTab) <> 0) Then
                MsgBox "µLªk¬°§t¦³©w¦ìÂI¡B¥\¯àÅÜ¼Æ©M¬q¸¨²Å¸¹ªº¦r¦ê¥[¤J¨Ã¦Cªºµù¸Ñ", Title:=SZ_MACRONAME
                GoTo LExit:
            End If
        End If
        If (Selection.Start = Selection.End) Then
            MsgBox "½Ð¿ï¨ún¥[¤Jµù¸Ñªº¦r¦ê", Title:=SZ_MACRONAME
            GoTo LExit:
        End If
    End With
    InitDialog
    dlgRuby.Show
LExit:
End Sub

Sub Create(szRuby As String, szFont As String, iSize As Integer, iDist As Integer, szAlign As String)
    Dim rgn As Range
    Dim n As Integer
    Dim iCurSize As Integer
    Dim szCurFont As String
    Dim fnt As Font
    Application.ScreenUpdating = False
    System.Cursor = wdCursorWait
    
    On Error GoTo LError
    With Selection
        Set rgn = .Range
        Set fnt = GetCurFont(rgn)
        If (FIsRubyField(rgn) = True) Then
            Delete
        End If

        iCurSize = fnt.Size
        szCurFont = fnt.Name
        n = Len(.Text)
        
        ' Insert Field
        .Fields.Add .Range, , , False
        .TypeText "eq \o"
        
        ' Ruby string align
        Select Case (szAlign)
        Case "¾a¥ª"
            .TypeText "\al"
        Case "µ¥¶¡¶Z®i¶}"
            .TypeText "\ad"
        Case Else
        End Select
        
        .TypeText "(\s\up" + Str$(Int(iDist + .Font.Size - 1)) + "("
        .InsertBefore szRuby
        .Font.Size = iSize
        .Font.Name = szFont
        .Font.DisableCharacterSpaceGrid = False
        .MoveRight
        .InsertAfter "),"
        .Font.Size = iCurSize
        .Font.Name = szCurName
        .MoveRight , n + 2
        .TypeText ")"
        ' Kludge, To remove space char at end of field....
        .MoveLeft , 2
        .Delete unit:=wdCharacter, Count:=1
        
        .Fields.ToggleShowCodes
        .MoveRight , 1, 1
        
    End With
LExit:
    Application.ScreenUpdating = True
    System.Cursor = wdCursorNormal
    Exit Sub
LError:
    MsgBox Err.Description, Title:=SZ_MACRONAME
End Sub

Sub Delete()
    Dim rgn As Range
    Dim rgnFld As Range
    Dim rgnNew As Range
    Dim szCode As String
    Dim FUpdate As Boolean
    
    On Error GoTo LError
    If (Application.ScreenUpdating = True) Then
        FUpdate = True
        Application.ScreenUpdating = False
        System.Cursor = wdCursorWait
    Else
        FUpdate = False
    End If
    
    With Selection
        Set rgn = .Range
        If (.Fields.Count < 1) Then GoTo LExit:
        For i = 1 To .Fields.Count
            szCode = rgn.Fields(i).Code
            Set rgnFld = rgn.Fields(i).Code
            If (FIsRubyField(rgn) = False) Then
                GoTo LExit:
            End If
            
            iTop = InStr(1, szCode, ",") + rgnFld.St
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.