MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon opening or closing the document. The document body presents a form, suggesting a social engineering lure to collect user data. The presence of a VBA macro-virus replication heuristic indicates the macro is designed to spread or tamper with AV.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5145 bytes |
SHA-256: 5fea539d357873bbe44e92be163b08e91114f147992e0a3e38fcff315a1110d1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1PPO.Stellys_Macros"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Pasting"
Attribute VB_Base = "0{038408F6-97F3-43FA-BD7D-8DC71AE3C249}{63263884-9956-4372-920E-4E73E2880E28}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub OK_Click()
Pasting.Hide
End Sub
Attribute VB_Name = "Stelly_Module"
Sub Copy_for_CrimInt()
'
' Copy Macro
' Macro written 03/05/2005 by Stelly
'
If ActiveDocument.ProtectionType <> wdNoProtection Then
ActiveDocument.Unprotect
Selection.WholeStory
Selection.Copy
ActiveDocument.Protect _
Type:=wdAllowOnlyFormFields, NoReset:=True
Else
Selection.WholeStory
Selection.Copy
End If
Pasting.Show
End Sub
Sub Field_Update()
'
' Field_Update Macro
' Macro written 03/05/2005 by Stelly
'
If ActiveDocument.Fields.Update = 0 Then
MsgBox "Calculation Successful"
Else
MsgBox "Field " & ActiveDocument.Fields.Update & _
" has an error"
End If
End Sub
Sub Unlock_Lock()
'
' Unlock_Lock Macro
' Macro written 03/05/2005 by Stelly
'
If ActiveDocument.ProtectionType <> wdNoProtection Then
ActiveDocument.CommandBars("PPO Referral Form Toolbar").Controls(5).State = Office.msoButtonUp
ActiveDocument.Unprotect
MsgBox "You have unlocked the document. Ensure you Lock it before making any changes to the data to ensure Calculations work properly."
Else
ActiveDocument.Protect _
Type:=wdAllowOnlyFormFields, NoReset:=True
ActiveDocument.CommandBars("PPO Referral Form Toolbar").Controls(5).State = Office.msoButtonDown
End If
End Sub
Sub Copy_Macros()
'
' Copy_Macro Macro
' Macro written 17/08/2005 by Stelly
'
If ActiveDocument.ProtectionType <> wdNoProtection Then
ActiveDocument.Unprotect
End If
Set currentTemplate = ActiveDocument.AttachedTemplate
If currentTemplate = ActiveDocument Then
MsgBox "Template Edit Mode"
Else
Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _
& currentTemplate.Name, Destination:=ActiveDocument, Name:="Pasting", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _
& currentTemplate.Name, Destination:=ActiveDocument, Name:="Stelly_Module", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _
& currentTemplate.Name, Destination:=ActiveDocument, Name:="PPO Referral Form Toolbar", Object:=wdOrganizerObjectCommandBars
End If
ActiveDocument.Protect _
Type:=wdAllowOnlyFormFields, NoReset:=True
Set currentTemplate = Nothing
End Sub
Sub Toolbar_Menu_Creation()
'
' Toolbar_Menu_Creation Macro
' Macro written 17/08/2005 by Stelly
'
foundFlag = False
For Each cb In CommandBars
If cb.Name = "PPO Referral Form Toolbar" Then
cb.Visible = True
foundFlag = True
End If
Next cb
If Not foundFlag Then
Dim customBar As CommandBar
Dim newButton As CommandBarButton
Set customBar = CommandBars.Add(Name:="PPO Referral Form Toolbar", Position:=msoBarFloating)
Set newButton = customBar.Controls _
.Add(msoControlButton, CommandBars("File") _
.Controls("Save").ID)
Set newButton = customBar.Controls _
.Add(msoControlButton, CommandBars("File") _
.Controls("Print...").ID)
Set newButton = customBar.Controls _
.Add(msoControlButton)
Set newButton = customBar.Controls _
.Add(msoControlButton)
Set newButton = customBar.Controls _
.Add(msoControlButton)
customBar.Controls(1).Style = msoButtonIconAndCaption
customBar.Controls(2).Style = msoButtonIconAndCaption
customBar.Controls(3).Caption = "Calculate Scores"
customBar.Controls(3).FaceId = 0
customBar.Controls(3).OnAction = "Field_Update"
customBar.Controls(3).Style = msoButtonIconAndCaption
customBar.Controls(4).Caption = "Copy to Clipboard for CrimInt"
customBar.Controls(4).FaceId = 0
customBar.Controls(4).OnAction = "Copy_for_CrimInt"
customBar.Controls(4).Style = msoButtonIconAndCaption
customBar.Controls(5).Caption = "Lock/Unlock"
customBar.Controls(5).FaceId = 0
customBar.Controls(5).OnAction = "Unlock_Lock"
customBar.Controls(5).Style = msoButtonIcon
customBar.Controls(5).State = msoButtonMixed
customBar.Visible = True
End If
End Sub
Sub AutoOpen()
'Application.Run MacroName:="Toolbar_Menu_Creation"
End Sub
Sub AutoNew()
'Application.Run MacroName:="Toolbar_Menu_Creation"
Application.Run MacroName:="Copy_Macros"
End Sub
Sub AutoClose()
'Application.Run MacroName:="Copy_Macros"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.