Office (OLE) malware analysis — malicious · f232f800ab80b4a7

MALICIOUS

Office (OLE)

37.0 KB Created: 1999-09-08 09:42:00 Authoring application: Microsoft Word 8.0 First seen: 2014-03-15

MD5: b64feec3b0d99d9ba9454195a5ba2878 SHA-1: dc03c510ec4893b32c47d56867cd7c85ccb45900 SHA-256: f232f800ab80b4a709780a8fe763d194cfe59ea5e9665a10bce82cace1ff27e6

76 Risk Score

Heuristics 4

Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
            Case "AutoOpen"
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Attribute VB_Name = "autoClose"
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3467 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3467 bytes
SHA-256: `fda417508a923f2c312c101bd98530be8808e888a9819ccac9aff423205a9754`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "autoClose" Public Sub MAIN() Dim bPromptToSave Dim fileMacro$ Dim globMacro$ Dim MacroFile$ Dim active Dim count_ Dim InfectedMacrosFound Dim pos Rem (c) Copyright 1995, Command Software Systems, Inc. Rem This macro checks for the presence of the Word Basic macro virus Rem named Winword.concept in documents that are being closed. Rem Change the variable below to 1 to prompt the user to save Rem changes after deleting the infection of a document template. bPromptToSave = 1 On Error GoTo -1: On Error GoTo ErrorMsg WordBasic.FileSummaryInfo Update:=1 Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False) WordBasic.CurValues.FileSummaryInfo dlg fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoClose" globMacro$ = "Global:autoClose" MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10)) If MacroFile$ = "NORMAL.DOT" Then WordBasic.MacroCopy globMacro$, fileMacro$ WordBasic.FileSaveAs Format:=1 Else WordBasic.MacroCopy fileMacro$, globMacro$ End If Rem Search for macro virus names in the active document. active = WordBasic.CountMacros(1) If active Then For count_ = 1 To active Select Case WordBasic.[MacroName$](count_, 1) Case "A" + "A" + "A" + "Z" + "A" + "O" InfectedMacrosFound = -1 Case "A" + "A" + "A" + "Z" + "F" + "S" InfectedMacrosFound = -1 Case Else End Select Next count_ End If If InfectedMacrosFound Then pos = 1 For count_ = 1 To active Select Case WordBasic.[MacroName$](pos, 1, 1) Case "A" + "A" + "A" + "Z" + "A" + "O" WordBasic.ToolsMacro Name:="A" + "A" + "A" + "Z" + "A" + "O", Delete:=1 pos = pos - 1 Case "A" + "A" + "A" + "Z" + "F" + "S" WordBasic.ToolsMacro Name:="A" + "A" + "A" + "Z" + "F" + "S", Delete:=1 pos = pos - 1 Case "AutoOpen" WordBasic.ToolsMacro Name:="AutoOpen", Delete:=1 pos = pos - 1 Case "FileSaveAs" WordBasic.ToolsMacro Name:="FileSaveAs", Delete:=1 pos = pos - 1 Case "PayLoad" WordBasic.ToolsMacro Name:="PayLoad", Delete:=1 pos = pos - 1 Case Else End Select pos = pos + 1 Next count_ If bPromptToSave = 0 Then WordBasic.FileSaveAll 1, 1 WordBasic.MsgBox "Your document contained the Winword.concept macro virus. The infection has been removed and the changes have been saved.", "Virus Checking Macro", 48 Else WordBasic.MsgBox "Your document contained the Winword.concept macro virus. The infection has been removed, but you will need to save these changes.", "Virus Checking Macro", 48 End If End If GoTo Quit ErrorMsg: WordBasic.MsgBox "An error occurred while attempting to remove a macro virus infection from your document. Please contact your system administrator.", "Virus Checking Macro", 16 Quit: End Sub

SHA-256: fda417508a923f2c312c101bd98530be8808e888a9819ccac9aff423205a9754

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "autoClose"

Public Sub MAIN()
Dim bPromptToSave
Dim fileMacro$
Dim globMacro$
Dim MacroFile$
Dim active
Dim count_
Dim InfectedMacrosFound
Dim pos
Rem (c) Copyright 1995, Command Software Systems, Inc.
Rem This macro checks for the presence of the Word Basic macro virus
Rem named Winword.concept in documents that are being closed.

Rem Change the variable below to 1 to prompt the user to save
Rem changes after deleting the infection of a document template.
bPromptToSave = 1

On Error GoTo -1: On Error GoTo ErrorMsg

WordBasic.FileSummaryInfo Update:=1
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
  WordBasic.CurValues.FileSummaryInfo dlg

  fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoClose"
  globMacro$ = "Global:autoClose"
  MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))

  If MacroFile$ = "NORMAL.DOT" Then
    WordBasic.MacroCopy globMacro$, fileMacro$
    WordBasic.FileSaveAs Format:=1
  Else
    WordBasic.MacroCopy fileMacro$, globMacro$
  End If

Rem Search for macro virus names in the active document.
active = WordBasic.CountMacros(1)
If active Then
    For count_ = 1 To active
        Select Case WordBasic.[MacroName$](count_, 1)
            Case "A" + "A" + "A" + "Z" + "A" + "O"
                InfectedMacrosFound = -1
        
            Case "A" + "A" + "A" + "Z" + "F" + "S"
                InfectedMacrosFound = -1

            Case Else
        End Select
    Next count_
End If

If InfectedMacrosFound Then
    pos = 1
    For count_ = 1 To active
        Select Case WordBasic.[MacroName$](pos, 1, 1)
            Case "A" + "A" + "A" + "Z" + "A" + "O"
                WordBasic.ToolsMacro Name:="A" + "A" + "A" + "Z" + "A" + "O", Delete:=1
                pos = pos - 1
        
            Case "A" + "A" + "A" + "Z" + "F" + "S"
                WordBasic.ToolsMacro Name:="A" + "A" + "A" + "Z" + "F" + "S", Delete:=1
                pos = pos - 1

            Case "AutoOpen"
                WordBasic.ToolsMacro Name:="AutoOpen", Delete:=1
                pos = pos - 1

            Case "FileSaveAs"
                WordBasic.ToolsMacro Name:="FileSaveAs", Delete:=1
                pos = pos - 1

            Case "PayLoad"
                WordBasic.ToolsMacro Name:="PayLoad", Delete:=1
                pos = pos - 1

            Case Else
        End Select
        pos = pos + 1
    Next count_

If bPromptToSave = 0 Then
    WordBasic.FileSaveAll 1, 1
    WordBasic.MsgBox "Your document contained the Winword.concept macro virus. The infection has been removed and the changes have been saved.", "Virus Checking Macro", 48
Else
    WordBasic.MsgBox "Your document contained the Winword.concept macro virus. The infection has been removed, but you will need to save these changes.", "Virus Checking Macro", 48
End If

End If

GoTo Quit

ErrorMsg:
WordBasic.MsgBox "An error occurred while attempting to remove a macro virus infection from your document. Please contact your system administrator.", "Virus Checking Macro", 16
    
Quit:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.