Word Document -- End User authorized Macros

[slmsls]

Welcome !
Thank you for joining the section of VIRUSNET association support.

---

BEFORE ASKING HELP, READ CAREFULLY THIS INSTRUCTION:

---

Step 1: Are you in the right place?

• Do you need assistance in PC cure from viruses?
• Or would you like to report a bug or propose a feature for HiJackThis?

If yes, see the next step.

Step 2: Show us required logs (for PC cure):

• Read carefully: How to make a request for help in the PC cure section

• Attach 'Collection-[Date].zip' log created by AutoLogger

• Describe your problem in details:

1. What did you done before the problem occurs: _________________
2. What programs (browsers) affected by the problem: ________________
3. Steps to reproduce: _________________

[slmsls]

CollectionLog-2018.11.07-14.02.zip

I know the end user enabled the Macro. Analysing the word document led to a generic VBA/Trojan Downloader. I'm not sure what was actually downloaded and ran.

I'm running the traditional removal tools and scans, but as yet they have not found anything. I'm hoping someone can look at the collection log and provide feedback on what payload the Macro delivered.

[dragokas]

Hi,
thank you for the log.
We'll return to you as soon as possible.

---

Please, note that only members of VIRUSNET-Association are allowed to respond in PC cure topics.
Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge at our free time. If you found our help useful, you can thank us with any amount using this form or you can leave a feedback in Guestbook.

[Sandor-Helper]

Hello,

What kind of problems are you experience now?
Are these tweaks were applied by yourself?

Blocked: Registry Editor
Internet Explorer - settings blocked

[slmsls]

Those are Group Policy Restrictions to restrict End User access to prevent students (and teachers) from bypassing the internet filter.

[Sandor-Helper]

Ok, but you didn't answer my first question. :)

[slmsls]

I choose to reimage the machine before putting it back on the network Friday as I couldn't wait any longer to get the employee back her computer. So I'm not having issues as of now. But I'm still concerned as all the virus scanners and malware scanners found nothing before I imaged the machine. So what did the macro do? I didn't see anything in the hijackthis logs, but maybe I missed something. I'm concerned if it moved laterally on my network. But without any idea what footprint to look for... I'm hoping the logs uploaded to GitHub last Wednesday would give me a clue as to what I'm looking for.

[Sandor-Helper]

Logs didn't show any malicious in system.

You can check the system for vulnerabilities:
Run script in AVZ while Internet is connected:

var
LogPath : string;
ScriptPath : string;

begin
 LogPath := GetAVZDirectory + 'log\avz_log.txt';
 if FileExists(LogPath) Then DeleteFile(LogPath);
 ScriptPath := GetAVZDirectory +'ScanVuln.txt';

  if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 1) then ExecuteScript(ScriptPath) else begin
    if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 0) then ExecuteScript(ScriptPath) else begin
       ShowMessage('It is impossible to download AVZ script for finding vulnerability!');
       exit;
      end;
  end;
 if FileExists(LogPath) Then ExecuteFile('notepad.exe', LogPath, 1, 0, false)
end.

After script ends and if it find vulnerabilities file avz_log.txt will be open in the Notepad and there'll be download links in it.
First of all it depends to browsers, Java, Adobe Acrobat/Reader and Adobe Flash Player.
You should download and install needful programs if they exist in avz_log.txt

Reboot your PC.
Run script again to ensure that all vulnerabilities gone.

[slmsls]

Thank you for double checking the logs for me. I appreciate the second opinion.

[dragokas]

If you want we try to analyze that sample you can send us your macros file.
Pack it in zip or rar with password "virus" and send it via email quarantine <at> safezone.cc (replace <at> with @).