Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 64426e0f7c5615f6…

MALICIOUS

Office (OLE) / .DOC

27.5 KB Created: 2006-08-04 10:39:00 Authoring application: Microsoft Word 10.0
MD5: 3c310ca504df226aa748789d2a95394c SHA-1: 7883f620ad202ac9cdcd87aa1e71784cc9f1be45 SHA-256: 64426e0f7c5615f66caf2c400dbef9024060a7882e029f00a3c1ebead9e4d564
420 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.003 Windows Command Shell

The sample contains VBA macros that are automatically executed via the AutoOpen subroutine. These macros utilize WScript.Shell to write a persistence entry to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Lovestar, pointing to a batch file at c:\dbpay.bat. The script also attempts to save and execute a file named 'lovestar.doc' and then 'lovestar.sxw' using StarOffice, likely to further execute a payload.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Win.Worm.Godog-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Godog-4
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
87b653681db78b28cbdadb7d2ce2c6d864f18aeb96136e2efeb426d1f31d13ac		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1635 bytes
Detection
ClamAV: Win.Worm.Godog-4
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.