MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file is an OLE document with a significant amount of slack space, a common characteristic of malicious documents. The document body contains text related to the constitution of the Kabardino-Balkarian Republic, which appears to be a lure to disguise malicious intent. No scripts were extracted, and no URLs were found, limiting further analysis of the payload.
Heuristics 3
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 74,794 bytes but its declared streams total only 40,870 bytes — 33,924 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Recovered VBA macro source from orphaned project info OLE_ORPHANED_VBA_MACRO_SOURCEoletools recovered no VBA project, but VBA source-cache records (module names, API calls, dropped paths and literal source lines) survive in unallocated OLE space — a stripped or corrupted VBA project, typical of legacy Word 97 macro viruses. The macro source was recovered and carved for review and signature scanning.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
vba_orphaned_source.txt |
vba-orphaned-source | analyzer.wordbasic.recover_length_prefixed_source (VBA source-cache records recovered from a stripped/orphaned project in unallocated OLE space) | 767 bytes |
SHA-256: 1b329fb49e14ebc16156e5f944ebd7bbf47b5b9b24779b637f10d28b5d3d59e0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ThisDocument
Project
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VBA\VBA332.DLL
VBA
C:\Program Files\Microsoft Office\Office\MSWORD8.OLB
Word
C:\WINDOWS\SYSTEM\STDOLE2.TLB
stdole
C:\WINDOWS\SYSTEM\MSForms.TWD
MSForms
C:\WINDOWS\TEMP\VBE\MSForms.EXD
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSO97.DLL
Office
Document
RegOpenKeyExA
RegSetValueExA
RegCloseKey
AutoOpen
ViewVBCode
Name
c:\class.sys
VBA332.DLL
Class.Poppy
I Think
is a big stupid jerk!
codemodule
AddFromFile
deletelines
Sub AutoClose()
replaceline
Sub ToolsMacro()
For x = 1 To 4
Software\Microsoft\Windows\CurrentVersion
VicodinES /CB /TNN
RegisteredOwner
-(Dr. Diet Mountain Dew)-
RegisteredOrganization
'
hKey
lpSubKey
ulOptions
samDesired
phkResult
lpValueName
Reserved
dwType
lpValue
cbData
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.