Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8a90206b04c5141e…

MALICIOUS

Office (OLE)

4.67 MB Created: 2010-04-23 08:22:00 Authoring application: Microsoft Office Word First seen: 2026-05-10
MD5: 56d92bf377b59542702d15c5016d7c10 SHA-1: 2760980e1795ad5b1ae4e4ea6332ea0c4f6a68c8 SHA-256: 8a90206b04c5141edc46bd44185b78dac44a884ca10b088b3b30ab9010213fc6
80 Risk Score

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Application.OrganizerCopy _

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3340 bytes
SHA-256: f37da605a29d0981a53e056f915ddf623c5bf37cd6f3d89a96e8ae8eb4ac2268
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Project.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul_CD"
' Makros für Erstellung neuer Dokumentvorlagen mit ND48 auf der Grundlage der CI/CD-Basisdokumente
' 30.07.08

Sub AutoNew()
' Autostart-Makro kopiert alle Makros des Moudul_CD in das neue Dokument

    Application.OrganizerCopy _
        Destination:=ActiveDocument.FullName, _
        Source:=ActiveDocument.AttachedTemplate.FullName, _
        Name:="Modul_CD", _
        Object:=wdOrganizerObjectProjectItems
End Sub

Sub Titelgrafik_Loeschen()
'
' Makro aufgezeichnet am 30.07.2008 von Spengler.H
'
    If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
        ActiveWindow.Panes(2).Close
    End If
    If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
        ActivePane.View.Type = wdOutlineView Then
        ActiveWindow.ActivePane.View.Type = wdPrintView
    End If
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    Selection.HeaderFooter.Shapes(1).Select
    Selection.ShapeRange.Delete
    ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
End Sub


Sub AlleFelderAktualisieren()
Dim rngDoc As Range
    Dim oDoc As Document
    Set oDoc = ActiveDocument
    For Each rngDoc In oDoc.StoryRanges
      rngDoc.Fields.Update
      While Not (rngDoc.NextStoryRange Is Nothing)
        Set rngDoc = rngDoc.NextStoryRange
        rngDoc.Fields.Update
     Wend
   Next rngDoc
End Sub

Sub TitelEinfuegen()
    
    With Dialogs(wdDialogInsertPicture)
      If .Display = -1 Then
        Dim mypicture
        Set mypicture = ActiveDocument.Shapes.AddPicture(FileName:=.Name)
        
        mypicture.LockAspectRatio = msoFalse
        mypicture.WrapFormat.Type = 3
        mypicture.RelativeHorizontalPosition = wdRelativeHorizontalPositionPage
        mypicture.RelativeVerticalPosition = wdRelativeVerticalPositionPage
        mypicture.Top = CentimetersToPoints(0)
        mypicture.Left = CentimetersToPoints(0)
        mypicture.Width = CentimetersToPoints(21)
        mypicture.Height = CentimetersToPoints(29.7)

        mypicture.Select
        Selection.Cut
        
      End If
    End With
    
    ' Kopf-Fusszeile
    
    If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
        ActiveWindow.Panes(2).Close
    End If
    If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
        ActivePane.View.Type = wdOutlineView Or ActiveWindow.ActivePane.View.Type _
         = wdMasterView Then
        ActiveWindow.ActivePane.View.Type = wdPageView
    End If
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    
' vorhandenes Titelbild löschen
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    Selection.HeaderFooter.Shapes(1).Select
    Selection.ShapeRange.Delete
    
' neues Titelbild einfügen
    Selection.Paste
    Selection.ShapeRange.ZOrder msoSendToBack
    Selection.ShapeRange.ZOrder msoSendBehindText
    ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
    
End Sub