Office (OLE) malware analysis — malicious · 4b08c8a4bd7365c5

MALICIOUS

Office (OLE)

44.5 KB Created: 2001-02-23 07:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 600d2ac20b41c56b4b3337b28c00c19d SHA-1: 7c625a4d696d74fa762347825c20e237ea5d6cb9 SHA-256: 4b08c8a4bd7365c5657141c16eefc55f1fec7b662869c860273314c5e983dfe3

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute a Shell() command, indicating malicious intent. The script attempts to copy and delete files using hardcoded paths, suggesting it may be part of a file manipulation or staging process for a larger attack. The presence of VBA macros and the Shell() call strongly suggest a malicious document, likely delivered via spearphishing.

Heuristics 3

ClamAV: Doc.Trojan.Marker-9 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Marker-9
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34554 bytes
SHA-256: `570821529591dfffc9b079bc1fabd66530c3a09dc4790a9d56a4abbdc1ad1d92`
Detection ClamAV: Doc.Trojan.Marker-9 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub CommandButton1_Click() Dim a, b, Msg, Style, Title, Response, Msg1, Style1, Title1, Response1, Msg2, Style2, Title2, Response2 a = "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\áóõãàëòåðèÿ\äîêóìåíòû\platpor.xls" b = "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\êëàäîâùèê\âõîä\2platpor1.xls" Msg = "Âû äåéñòâèòåëüíî õîòèòå îòïðàâèòü ôàéë?" ' Ñîîáùåíèå. Style = vbYesNo + vbDefaultButton2 ' Êíîïêè. Title = "Ñîîáùåíèå" ' Çàãîëîâîê. Response = MsgBox(Msg, Style, Title) If Response = vbYes Then ' Íàæàòà êíîïêà "Äà" (Yes). FileCopy a, b Kill "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\áóõãàëòåðèÿ\âõîä\2scht-f1.xls" If Time > #4:00:00 PM# And Time < #4:40:00 PM# Then Msg1 = "Ñåé÷àñ âû äåéñòâóåòå ïî ïëàíó ïåðâîãî êâàðòàëà" ' Ñîîáùåíèå. Style1 = vbOKOnly Title1 = "Ñîîáùåíèå" ' Çàãîëîâîê. Response1 = MsgBox(Msg1, Style1, Title1) Else If Time > #4:40:00 PM# And Time < #5:40:00 PM# Then Msg2 = "Ñåé÷àñ âû äåéñòâóåòå ïî ïëàíó âòîðîãî êâàðòàëà" ' Ñîîáùåíèå. Style2 = vbOKOnly Title2 = "Ñîîáùåíèå" ' Çàãîëîâîê. Response2 = MsgBox(Msg2, Style2, Title2) End If End If End If End Sub Private Sub CommandButton4_Click() Dim i Set fs = Application.FileSearch With fs .LookIn = "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\áóõãàëòåðèÿ\âõîä" .FileName = "." If .Execute > 0 Then MsgBox "There were " & .FoundFiles.Count & _ " file(s) found." For i = 1 To .FoundFiles.Count MsgBox .FoundFiles(i) Next i Else MsgBox "There were no files found." End If End With End Sub Private Sub CommandButton11_Click() Dim a, b, Msg, Style, Title, Response, Msg1, Style1, Title1, Response1, Msg2, Style2, Title2, Response2 a = "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\áóõãàëòåðèÿ\äîêóìåíòû\platpor.xls" b = "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\êëàäîâùèê\âõîä\2platpor2.xls" Msg = "Âû äåéñòâèòåëüíî õîòèòå îòïðàâèòü ôàéë?" ' Ñîîáùåíèå. Style = vbYesNo + vbDefaultButton2 ' Êíîïêè. Title = "Ñîîáùåíèå" ' Çàãîëîâîê. Response = MsgBox(Msg, Style, Title) If Response = vbYes Then ' Íàæàòà êíîïêà "Äà" (Yes). FileCopy a, b Kill "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\áóõãàëòåðèÿ\âõîä\2scht-f2.xls" If Time > #4:00:00 PM# And Time < #4:40:00 PM# Then Msg1 = "Ñåé÷àñ âû äåéñòâóåòå ïî ïëàíó ïåðâîãî êâàðòàëà" ' Ñîîáùåíèå. Style1 = vbOKOnly Title1 = "Ñîîáùåíèå" ' Çàãîëîâîê. Response1 = MsgBox(Msg1, Style1, Title1) Else If Time > #4:40:00$PM# And Time < #5:40:00 PM# Then Msg2 = "Ñåé÷àñ âû äåéñòâóåòå ïî ïëàíó âòîðîãî êâàðòàëà" ' Ñîîáùåíèå. Style2 = vbOKOnly Title2 = "Ñîîáùåíèå" ' Çàãîëîâîê. Response2 = MsgBox(Msg2, Style2, Title2) End If End If End If End Sub Private Sub CommandButton12_Click() Dim a, b, Msg, Style, Title, Response, Msg1, Style1, Title1, Response1, Msg2, Style2, Title2, Response2 a = "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\áóõãàëòåðèÿ\äîêóìåíòû\platpor.xls" b = "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\êëàäîâùèê\âõîä\2platpor3.xls" Msg = "Âû äåéñòâèòåëüíî õîòèòå îòïðàâèòü ôàéë?" ' Ñîîáùåíèå. Style = vbYesNo + vbDefaultButton2 ' Êíîïêè. Title = "Ñîîáùåíèå" ' Çàãîëîâîê. Response = MsgBox(Msg, Style, Title) If Response = vbYes Then ' Íàæàòà êíîïêà "Äà" (Yes). FileCopy a, b Kill "g:\home\st6\course_2\group_3a\ìîäåëü1\çàâîä\ñêëàä2\áóõãàëòåðèÿ\âõîä\2scht-f3.xls" If Time > #4:00:00 PM# And Time < #4:40:00 PM# Then Msg1 = "Ñåé÷àñ âû äåéñòâóåòå ïî ïëàíó ïåðâîãî êâàðòàëà" ' Ñîîáùåíèå. Style1 = vbOKOnly Title1 = "Ñîîáùåíèå" ' Çàãîëîâîê. Response1 = MsgBox(Msg1, Style1, Title1) Else If Time > #4:40:00 PM# And Time < #5:40:00 PM# Then Msg2 = "Ñåé ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.